Windows Analysis Report
wy6S9pbZsY.exe

Overview

General Information

Sample name: wy6S9pbZsY.exe
renamed because original name is a hash value
Original sample name: 72d706281b940ed3b12e2c1d2cdc9e0b.exe
Analysis ID: 1648795
MD5: 72d706281b940ed3b12e2c1d2cdc9e0b
SHA1: 77b6bcdab4d139720480a472378a366553e22fa2
SHA256: 806f318390f3fd7ed23c129362e0b11813dd3e86a8dd051352900b06ec193d8d
Tags: exeuser-abuse_ch
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadey
Yara detected Amadeys Clipper DLL
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Hides threads from debuggers
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: wy6S9pbZsY.exe Avira: detected
Antivirus detection for URL or domain
Source: http://176.113.115.6/Ni9kiput/index.php/Ni9kiput/index.php Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe ReversingLabs: Detection: 61%
Multi AV Scanner detection for submitted file
Source: wy6S9pbZsY.exe Virustotal: Detection: 57% Perma Link
Source: wy6S9pbZsY.exe ReversingLabs: Detection: 61%
Sample uses string decryption to hide its real strings
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: 176.113.115.6
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: /Ni9kiput/index.php
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: S-%lu-
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: bb556cff4a
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: rapes.exe
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Startup
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: cmd /C RMDIR /s/q
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: rundll32
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Programs
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: %USERPROFILE%
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: cred.dll|clip.dll|
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: cred.dll
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: clip.dll
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: http://
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: https://
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: /quiet
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: /Plugins/
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: &unit=
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: shell32.dll
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: kernel32.dll
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: GetNativeSystemInfo
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: ProgramData\
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: AVAST Software
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Kaspersky Lab
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Panda Security
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Doctor Web
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: 360TotalSecurity
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Bitdefender
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Norton
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Sophos
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Comodo
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: WinDefender
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: 0123456789
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: ------
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: ?scr=1
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: ComputerName
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: -unicode-
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: VideoID
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: DefaultSettings.XResolution
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: DefaultSettings.YResolution
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: ProductName
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: CurrentBuild
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: rundll32.exe
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: "taskkill /f /im "
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: " && timeout 1 && del
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: && Exit"
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: " && ren
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Powershell.exe
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: -executionpolicy remotesigned -File "
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: shutdown -s -t 0
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: random
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Keyboard Layout\Preload
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: 00000419
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: 00000422
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: 00000423
Source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: 0000043f
Uses 32bit PE files
Source: wy6S9pbZsY.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 176.113.115.6
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 176.113.115.6 176.113.115.6
Source: Joe Sandbox View IP Address: 176.113.115.6 176.113.115.6
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SELECTELRU SELECTELRU
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.8:49693 -> 176.113.115.6:80
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BA2710 recv,recv,recv,recv, 12_2_00BA2710
Source: rapes.exe, 0000000C.00000002.2096177907.00000000008D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.6/
Source: rapes.exe, 0000000C.00000002.2096177907.00000000008F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php
Source: rapes.exe, 0000000C.00000002.2096177907.00000000008F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php$
Source: rapes.exe, 0000000C.00000002.2096177907.00000000008F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php/Ni9kiput/index.php
Source: rapes.exe, 0000000C.00000002.2096177907.00000000008D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpP6
Source: rapes.exe, 0000000C.00000002.2096177907.00000000008F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpV
Source: rapes.exe, 0000000C.00000002.2096177907.00000000008F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpj
Source: rapes.exe, 0000000C.00000002.2096177907.00000000008F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpw
Source: rapes.exe, 0000000C.00000002.2096177907.00000000008D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.6/ecurity=Impersonation

System Summary
barindex
PE file contains section with special chars
Source: wy6S9pbZsY.exe Static PE information: section name:
Source: wy6S9pbZsY.exe Static PE information: section name: .idata
Source: wy6S9pbZsY.exe Static PE information: section name:
Source: rapes.exe.0.dr Static PE information: section name:
Source: rapes.exe.0.dr Static PE information: section name: .idata
Source: rapes.exe.0.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe File created: C:\Windows\Tasks\rapes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00B961F0 12_2_00B961F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00B9B700 12_2_00B9B700
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BD5CD4 12_2_00BD5CD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BD18D7 12_2_00BD18D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BBB4C0 12_2_00BBB4C0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BC2C20 12_2_00BC2C20
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00B95450 12_2_00B95450
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00B9CC40 12_2_00B9CC40
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BD4047 12_2_00BD4047
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00B951A0 12_2_00B951A0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BD5DF4 12_2_00BD5DF4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00B94EF0 12_2_00B94EF0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BBF6DB 12_2_00BBF6DB
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BCC6DD 12_2_00BCC6DD
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BA7320 12_2_00BA7320
Uses 32bit PE files
Source: wy6S9pbZsY.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: wy6S9pbZsY.exe Static PE information: Section: ZLIB complexity 0.9987355802341598
Source: wy6S9pbZsY.exe Static PE information: Section: aiuksqvx ZLIB complexity 0.9945586043616058
Source: rapes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9987355802341598
Source: rapes.exe.0.dr Static PE information: Section: aiuksqvx ZLIB complexity 0.9945586043616058
Source: rapes.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: wy6S9pbZsY.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/3@0/1
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe File created: C:\Users\user\AppData\Local\Temp\bb556cff4a Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: wy6S9pbZsY.exe Virustotal: Detection: 57%
Source: wy6S9pbZsY.exe ReversingLabs: Detection: 61%
Source: wy6S9pbZsY.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: wy6S9pbZsY.exe String found in binary or memory: " /add
Source: wy6S9pbZsY.exe String found in binary or memory: " /add /y
Source: rapes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe String found in binary or memory: " /add
Source: rapes.exe String found in binary or memory: " /add /y
Source: rapes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe String found in binary or memory: " /add
Source: rapes.exe String found in binary or memory: " /add /y
Source: rapes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe String found in binary or memory: " /add
Source: rapes.exe String found in binary or memory: " /add /y
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe File read: C:\Users\user\Desktop\wy6S9pbZsY.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\wy6S9pbZsY.exe "C:\Users\user\Desktop\wy6S9pbZsY.exe"
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: wy6S9pbZsY.exe Static file information: File size 1898496 > 1048576
Source: wy6S9pbZsY.exe Static PE information: Raw size of aiuksqvx is bigger than: 0x100000 < 0x19e200

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Unpacked PE file: 0.2.wy6S9pbZsY.exe.2a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;aiuksqvx:EW;ucnbgxjv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;aiuksqvx:EW;ucnbgxjv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Unpacked PE file: 2.2.rapes.exe.b90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;aiuksqvx:EW;ucnbgxjv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;aiuksqvx:EW;ucnbgxjv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Unpacked PE file: 3.2.rapes.exe.b90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;aiuksqvx:EW;ucnbgxjv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;aiuksqvx:EW;ucnbgxjv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Unpacked PE file: 12.2.rapes.exe.b90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;aiuksqvx:EW;ucnbgxjv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;aiuksqvx:EW;ucnbgxjv:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: rapes.exe.0.dr Static PE information: real checksum: 0x1d0be9 should be: 0x1dec08
Source: wy6S9pbZsY.exe Static PE information: real checksum: 0x1d0be9 should be: 0x1dec08
PE file contains sections with non-standard names
Source: wy6S9pbZsY.exe Static PE information: section name:
Source: wy6S9pbZsY.exe Static PE information: section name: .idata
Source: wy6S9pbZsY.exe Static PE information: section name:
Source: wy6S9pbZsY.exe Static PE information: section name: aiuksqvx
Source: wy6S9pbZsY.exe Static PE information: section name: ucnbgxjv
Source: wy6S9pbZsY.exe Static PE information: section name: .taggant
Source: rapes.exe.0.dr Static PE information: section name:
Source: rapes.exe.0.dr Static PE information: section name: .idata
Source: rapes.exe.0.dr Static PE information: section name:
Source: rapes.exe.0.dr Static PE information: section name: aiuksqvx
Source: rapes.exe.0.dr Static PE information: section name: ucnbgxjv
Source: rapes.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BB9FC1 push ecx; ret 12_2_00BB9FD4
Source: wy6S9pbZsY.exe Static PE information: section name: entropy: 7.982174272975032
Source: wy6S9pbZsY.exe Static PE information: section name: aiuksqvx entropy: 7.952610163902002
Source: rapes.exe.0.dr Static PE information: section name: entropy: 7.982174272975032
Source: rapes.exe.0.dr Static PE information: section name: aiuksqvx entropy: 7.952610163902002
Drops PE files
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: Regmonclass Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe File created: C:\Windows\Tasks\rapes.job Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 31313E second address: 313148 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F466C52582Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 313148 second address: 312949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jg 00007F466CDC3DAAh 0x0000000d push eax 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 jnc 00007F466CDC3DB6h 0x00000018 push dword ptr [ebp+122D0F1Dh] 0x0000001e jp 00007F466CDC3DA7h 0x00000024 cmc 0x00000025 call dword ptr [ebp+122D1AB8h] 0x0000002b pushad 0x0000002c jns 00007F466CDC3DACh 0x00000032 mov dword ptr [ebp+122D32EFh], ecx 0x00000038 cld 0x00000039 xor eax, eax 0x0000003b je 00007F466CDC3DA7h 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 clc 0x00000046 mov dword ptr [ebp+122D2843h], eax 0x0000004c je 00007F466CDC3DA7h 0x00000052 mov esi, 0000003Ch 0x00000057 clc 0x00000058 jmp 00007F466CDC3DB2h 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 stc 0x00000062 lodsw 0x00000064 jp 00007F466CDC3DAEh 0x0000006a clc 0x0000006b add eax, dword ptr [esp+24h] 0x0000006f xor dword ptr [ebp+122D32EFh], esi 0x00000075 mov ebx, dword ptr [esp+24h] 0x00000079 cld 0x0000007a nop 0x0000007b pushad 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f popad 0x00000080 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 312949 second address: 312954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 312954 second address: 312969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F466CDC3DACh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 312969 second address: 31297A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F466C52582Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 47FF23 second address: 47FF3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466CDC3DB3h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 47FF3F second address: 47FF43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 47FF43 second address: 47FF47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 489E5E second address: 489E83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52582Ch 0x00000007 jmp 00007F466C525831h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 489E83 second address: 489EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466CDC3DB5h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48A312 second address: 48A31B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48A78A second address: 48A7A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466CDC3DACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F466CDC3DAAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D47E second address: 312949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C525838h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 41DCACF6h 0x00000010 mov esi, dword ptr [ebp+122D1EE3h] 0x00000016 push dword ptr [ebp+122D0F1Dh] 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007F466C525828h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 call dword ptr [ebp+122D1AB8h] 0x0000003c pushad 0x0000003d jns 00007F466C52582Ch 0x00000043 cld 0x00000044 xor eax, eax 0x00000046 je 00007F466C525827h 0x0000004c mov edx, dword ptr [esp+28h] 0x00000050 clc 0x00000051 mov dword ptr [ebp+122D2843h], eax 0x00000057 je 00007F466C525827h 0x0000005d mov esi, 0000003Ch 0x00000062 clc 0x00000063 jmp 00007F466C525832h 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c stc 0x0000006d lodsw 0x0000006f jp 00007F466C52582Eh 0x00000075 clc 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a xor dword ptr [ebp+122D32EFh], esi 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 cld 0x00000085 nop 0x00000086 pushad 0x00000087 push eax 0x00000088 push edx 0x00000089 pushad 0x0000008a popad 0x0000008b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D5B4 second address: 48D5EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F466CDC3DB6h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F466CDC3DB5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D5EE second address: 48D5F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D5F4 second address: 48D5F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D5F8 second address: 48D628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edx 0x0000000b jmp 00007F466C525836h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jbe 00007F466C525826h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D628 second address: 48D63C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466CDC3DB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D63C second address: 48D646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F466C525826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D74C second address: 48D775 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F466CDC3DB0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edi 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 pop edi 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D775 second address: 48D779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D779 second address: 48D783 instructions: 0x00000000 rdtsc 0x00000002 js 00007F466CDC3DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D783 second address: 48D79D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F466C525835h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D79D second address: 48D7CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jng 00007F466CDC3DB8h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D7CA second address: 48D85B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C525832h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a stc 0x0000000b push 00000003h 0x0000000d mov dx, ax 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F466C525828h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c xor dword ptr [ebp+122D1823h], eax 0x00000032 push 00000003h 0x00000034 mov dword ptr [ebp+122D55CBh], ecx 0x0000003a push 696AE6CFh 0x0000003f push ecx 0x00000040 jmp 00007F466C525836h 0x00000045 pop ecx 0x00000046 add dword ptr [esp], 56951931h 0x0000004d adc esi, 685231F9h 0x00000053 lea ebx, dword ptr [ebp+1244E400h] 0x00000059 pushad 0x0000005a sub dword ptr [ebp+122D1E0Fh], ecx 0x00000060 mov esi, 5F3C08E0h 0x00000065 popad 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 jbe 00007F466C52582Ch 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D85B second address: 48D85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D8A0 second address: 48D961 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52582Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, eax 0x0000000e push 00000000h 0x00000010 mov edi, ecx 0x00000012 push 75E818C3h 0x00000017 jmp 00007F466C52582Dh 0x0000001c xor dword ptr [esp], 75E81843h 0x00000023 jmp 00007F466C525831h 0x00000028 push 00000003h 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007F466C525828h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 movzx esi, bx 0x00000047 jmp 00007F466C525835h 0x0000004c push 00000000h 0x0000004e mov esi, dword ptr [ebp+122D28C3h] 0x00000054 push edi 0x00000055 mov cl, A5h 0x00000057 pop ecx 0x00000058 push 00000003h 0x0000005a jl 00007F466C525828h 0x00000060 mov dl, 6Ah 0x00000062 jg 00007F466C52582Ch 0x00000068 call 00007F466C525829h 0x0000006d push eax 0x0000006e push edx 0x0000006f pushad 0x00000070 push eax 0x00000071 pop eax 0x00000072 jmp 00007F466C525831h 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D961 second address: 48D9F5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F466CDC3DA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d jmp 00007F466CDC3DAEh 0x00000012 pop eax 0x00000013 pop eax 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jno 00007F466CDC3DBFh 0x0000001e mov eax, dword ptr [eax] 0x00000020 jne 00007F466CDC3DC1h 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a pushad 0x0000002b push ebx 0x0000002c jmp 00007F466CDC3DB2h 0x00000031 pop ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F466CDC3DB4h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D9F5 second address: 48D9F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48D9F9 second address: 48DA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 or cx, 9827h 0x0000000d lea ebx, dword ptr [ebp+1244E40Bh] 0x00000013 push esi 0x00000014 xor esi, 7BE0586Fh 0x0000001a pop esi 0x0000001b xchg eax, ebx 0x0000001c jmp 00007F466CDC3DB8h 0x00000021 push eax 0x00000022 jo 00007F466CDC3DAEh 0x00000028 push edi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48191B second address: 48191F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 48191F second address: 481940 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F466CDC3DB2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 481940 second address: 481969 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C525837h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F466C52582Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AA971 second address: 4AA976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AA976 second address: 4AA98D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52582Dh 0x00000007 jbe 00007F466C52582Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AA98D second address: 4AA99C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F466CDC3DB8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 481965 second address: 481969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AB07C second address: 4AB0A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jmp 00007F466CDC3DB1h 0x0000000c popad 0x0000000d je 00007F466CDC3DB0h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AB63C second address: 4AB640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AB640 second address: 4AB646 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AB646 second address: 4AB650 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F466C525844h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AB650 second address: 4AB6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466CDC3DB8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007F466CDC3DB9h 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop eax 0x00000016 push eax 0x00000017 jmp 00007F466CDC3DB9h 0x0000001c jmp 00007F466CDC3DB5h 0x00000021 pop eax 0x00000022 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AB6BD second address: 4AB6CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jo 00007F466C525826h 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AB833 second address: 4AB83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AB83B second address: 4AB84F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466C52582Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4ABB62 second address: 4ABBB0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F466CDC3DBDh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F466CDC3DB6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jnl 00007F466CDC3DAEh 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4ABBB0 second address: 4ABBB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AC2CA second address: 4AC2D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AC6F4 second address: 4AC6F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4AC6F8 second address: 4AC6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 47E5BF second address: 47E5E0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F466C525831h 0x00000008 jng 00007F466C525832h 0x0000000e jne 00007F466C525826h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4B4F5E second address: 4B4F62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4B557F second address: 4B55AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jns 00007F466C525834h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007F466C525826h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4B3D89 second address: 4B3D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 je 00007F466CDC3DB8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4B3D99 second address: 4B3D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4B4500 second address: 4B4505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4B4505 second address: 4B4513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F466C52582Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4B5836 second address: 4B583B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4B583B second address: 4B584A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4B584A second address: 4B584E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4B584E second address: 4B586A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C525830h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F466C525826h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4A09AB second address: 4A09AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BACA7 second address: 4BACB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jnp 00007F466C525828h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BAF7B second address: 4BAF7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BAF7F second address: 4BAF85 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BAF85 second address: 4BAF8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BAF8B second address: 4BAF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BAF8F second address: 4BAF93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BAF93 second address: 4BAF99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BB3AD second address: 4BB3B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BB3B1 second address: 4BB3BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BB50B second address: 4BB50F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BDBE9 second address: 4BDBEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BDCA2 second address: 4BDCBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a je 00007F466CDC3DB4h 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F466CDC3DA6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BDCBA second address: 4BDCC8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BDCC8 second address: 4BDD5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466CDC3DB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jnc 00007F466CDC3DB0h 0x00000013 jmp 00007F466CDC3DAAh 0x00000018 pop eax 0x00000019 mov edi, dword ptr [ebp+12473371h] 0x0000001f jmp 00007F466CDC3DAAh 0x00000024 call 00007F466CDC3DA9h 0x00000029 jbe 00007F466CDC3DACh 0x0000002f push eax 0x00000030 jl 00007F466CDC3DB4h 0x00000036 mov eax, dword ptr [esp+04h] 0x0000003a push esi 0x0000003b jnp 00007F466CDC3DA8h 0x00000041 pop esi 0x00000042 mov eax, dword ptr [eax] 0x00000044 push edi 0x00000045 pushad 0x00000046 jg 00007F466CDC3DA6h 0x0000004c push eax 0x0000004d pop eax 0x0000004e popad 0x0000004f pop edi 0x00000050 mov dword ptr [esp+04h], eax 0x00000054 jp 00007F466CDC3DB2h 0x0000005a jnl 00007F466CDC3DACh 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BEB80 second address: 4BEBA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C525838h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BED60 second address: 4BED7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F466CDC3DB8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BEE7B second address: 4BEE7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BEE7F second address: 4BEE83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BEE83 second address: 4BEE89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BEE89 second address: 4BEEA4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F466CDC3DB2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BEFBC second address: 4BEFC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BEFC3 second address: 4BEFCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F466CDC3DA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BEFCD second address: 4BEFEF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F466C525826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F466C525833h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BF415 second address: 4BF41A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BF41A second address: 4BF42E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F466C525826h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BF42E second address: 4BF49E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F466CDC3DB4h 0x00000008 jmp 00007F466CDC3DAEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 jl 00007F466CDC3DABh 0x00000016 push ecx 0x00000017 movsx esi, bx 0x0000001a pop esi 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007F466CDC3DA8h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 jp 00007F466CDC3DA8h 0x0000003d mov edi, ecx 0x0000003f push 00000000h 0x00000041 mov edi, eax 0x00000043 xchg eax, ebx 0x00000044 jmp 00007F466CDC3DB1h 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d pushad 0x0000004e popad 0x0000004f pushad 0x00000050 popad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BFECF second address: 4BFED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C1928 second address: 4C1943 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F466CDC3DB0h 0x00000008 jmp 00007F466CDC3DAAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C1943 second address: 4C194D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F466C52582Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C194D second address: 4C199B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F466CDC3DA8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 sub si, 4144h 0x00000026 stc 0x00000027 or esi, dword ptr [ebp+122D32EFh] 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 xchg eax, ebx 0x00000032 push ebx 0x00000033 push esi 0x00000034 jne 00007F466CDC3DA6h 0x0000003a pop esi 0x0000003b pop ebx 0x0000003c push eax 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jnl 00007F466CDC3DA6h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C23C7 second address: 4C23CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C23CB second address: 4C2445 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F466CDC3DA8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 mov dword ptr [ebp+122D17DCh], esi 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007F466CDC3DA8h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 00000019h 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 mov esi, dword ptr [ebp+122D27D7h] 0x0000004d mov di, ax 0x00000050 xchg eax, ebx 0x00000051 jmp 00007F466CDC3DB3h 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C2445 second address: 4C244B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C38AC second address: 4C38B6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F466CDC3DACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C6273 second address: 4C6289 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52582Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C4184 second address: 4C4188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C7288 second address: 4C72FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 or dword ptr [ebp+1246D9BFh], ebx 0x0000000f mov dword ptr [ebp+1246D22Bh], edi 0x00000015 push 00000000h 0x00000017 stc 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F466C525828h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 mov dword ptr [ebp+122D3845h], esi 0x0000003a xor dword ptr [ebp+1244815Eh], eax 0x00000040 xchg eax, esi 0x00000041 jmp 00007F466C525835h 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 jp 00007F466C525834h 0x0000004f jmp 00007F466C52582Eh 0x00000054 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C4C52 second address: 4C4C56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C63B7 second address: 4C63BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C72FE second address: 4C7305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C645C second address: 4C647C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52582Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jns 00007F466C52582Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C647C second address: 4C6480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C6480 second address: 4C6484 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C8056 second address: 4C80E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466CDC3DACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c pushad 0x0000000d add ebx, dword ptr [ebp+122D2A47h] 0x00000013 add ecx, dword ptr [ebp+122D17BAh] 0x00000019 popad 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F466CDC3DA8h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 mov ebx, dword ptr [ebp+122D28C3h] 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebp 0x00000041 call 00007F466CDC3DA8h 0x00000046 pop ebp 0x00000047 mov dword ptr [esp+04h], ebp 0x0000004b add dword ptr [esp+04h], 00000015h 0x00000053 inc ebp 0x00000054 push ebp 0x00000055 ret 0x00000056 pop ebp 0x00000057 ret 0x00000058 xor ebx, 4BB79001h 0x0000005e mov dword ptr [ebp+1244E771h], ecx 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F466CDC3DB2h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C80E2 second address: 4C80F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F466C52582Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C8303 second address: 4C830B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C830B second address: 4C830F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C830F second address: 4C832C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F466CDC3DB3h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CC095 second address: 4CC107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F466C525826h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F466C525828h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 or ebx, dword ptr [ebp+122D29F3h] 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 jo 00007F466C525829h 0x00000036 movzx ebx, dx 0x00000039 pop edi 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007F466C525828h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 00000017h 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 mov ebx, dword ptr [ebp+122D28CFh] 0x0000005c push eax 0x0000005d jo 00007F466C525832h 0x00000063 jl 00007F466C52582Ch 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB3B0 second address: 4CB3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466CDC3DB7h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F466CDC3DADh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CC2F4 second address: 4CC2FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CE063 second address: 4CE0B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F466CDC3DA6h 0x00000009 jo 00007F466CDC3DA6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 jp 00007F466CDC3DA9h 0x00000019 and bl, FFFFFFD8h 0x0000001c push 00000000h 0x0000001e mov bx, ax 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007F466CDC3DA8h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 0000001Bh 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 js 00007F466CDC3DACh 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CE0B4 second address: 4CE0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CD2FA second address: 4CD30F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F466CDC3DA6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CD30F second address: 4CD315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CF056 second address: 4CF05A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CF05A second address: 4CF0CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 js 00007F466C52582Eh 0x0000000d jns 00007F466C525828h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F466C525828h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e clc 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007F466C525828h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 0000001Ah 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b mov dword ptr [ebp+122D1855h], eax 0x00000051 push 00000000h 0x00000053 xchg eax, esi 0x00000054 jnp 00007F466C52583Ch 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F466C52582Ah 0x00000061 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4D00B4 second address: 4D00B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4D00B8 second address: 4D00C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4D00C5 second address: 4D00CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4D00CB second address: 4D00D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4D00D0 second address: 4D00EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F466CDC3DB5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 477C2E second address: 477C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F466C525834h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F466C52582Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CF308 second address: 4CF318 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466CDC3DACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4D02F9 second address: 4D02FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4D470D second address: 4D4757 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 ja 00007F466CDC3DA8h 0x0000000f jmp 00007F466CDC3DB4h 0x00000014 popad 0x00000015 nop 0x00000016 mov ebx, edx 0x00000018 push 00000000h 0x0000001a xor dword ptr [ebp+122D3852h], eax 0x00000020 jne 00007F466CDC3DABh 0x00000026 push 00000000h 0x00000028 mov edi, dword ptr [ebp+122D27B7h] 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4D4757 second address: 4D475B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4D59DF second address: 4D59F1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F466CDC3DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F466CDC3DA6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4DC4A3 second address: 4DC4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F466C525826h 0x0000000a pop edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 jo 00007F466C525826h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E0C30 second address: 4E0C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F466CDC3DA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E0326 second address: 4E0341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466C52582Fh 0x00000009 jp 00007F466C525826h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E04B5 second address: 4E04BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E30DB second address: 4E30E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 47B0A7 second address: 47B0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 47B0AB second address: 47B0D3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F466C525826h 0x00000008 jmp 00007F466C525834h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop esi 0x00000010 jbe 00007F466C52582Eh 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E8213 second address: 4E8246 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466CDC3DB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F466CDC3DB6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E8246 second address: 4E8250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F466C525826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E8250 second address: 4E8254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E8254 second address: 4E8266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E8266 second address: 4E827D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F466CDC3DB3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E827D second address: 4E828E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E828E second address: 4E8293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E8293 second address: 4E82B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F466C525839h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E8393 second address: 4E8399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E8399 second address: 4E839D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4E839D second address: 4E83B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466CDC3DAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4EC783 second address: 4EC7B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C525837h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F466C525828h 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F466C525826h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4ECE27 second address: 4ECE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4ED150 second address: 4ED15B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4ED2E2 second address: 4ED2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4ED767 second address: 4ED77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F466C52582Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4ED9FD second address: 4EDA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F466CDC3DA6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4EDA0A second address: 4EDA10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4EDA10 second address: 4EDA25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466CDC3DB1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4EDA25 second address: 4EDA29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4EDA29 second address: 4EDA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4EDA35 second address: 4EDA39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BC6E3 second address: 4BC705 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F466CDC3DB2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BCB67 second address: 4BCBCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52582Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F466C525832h 0x00000010 jmp 00007F466C525831h 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push edi 0x0000001b je 00007F466C52582Ch 0x00000021 je 00007F466C525826h 0x00000027 pop edi 0x00000028 mov eax, dword ptr [eax] 0x0000002a push ecx 0x0000002b jns 00007F466C525828h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 push ebx 0x0000003a pop ebx 0x0000003b push esi 0x0000003c pop esi 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BCD70 second address: 4BCD75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BCFAB second address: 4BCFB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BCFB1 second address: 4BCFB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BCFB5 second address: 4BD02E instructions: 0x00000000 rdtsc 0x00000002 js 00007F466C525826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F466C525839h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F466C525828h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d push 00000004h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007F466C525828h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 00000019h 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 and edi, dword ptr [ebp+122D2987h] 0x0000004f mov cx, ax 0x00000052 nop 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BD02E second address: 4BD032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BD469 second address: 4BD47C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F466C525826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007F466C525826h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BD860 second address: 4BD8D3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a call 00007F466CDC3DB0h 0x0000000f pop edi 0x00000010 lea eax, dword ptr [ebp+1247D30Fh] 0x00000016 add dword ptr [ebp+122D1A91h], esi 0x0000001c push eax 0x0000001d jns 00007F466CDC3DAAh 0x00000023 mov dword ptr [esp], eax 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007F466CDC3DA8h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 lea eax, dword ptr [ebp+1247D2CBh] 0x00000046 jmp 00007F466CDC3DB0h 0x0000004b nop 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BD8D3 second address: 4BD8D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BD8D7 second address: 4BD8EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F466CDC3DAAh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BD8EE second address: 4BD8F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BD8F2 second address: 4BD8F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F0F97 second address: 4F0FA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52582Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F0FA7 second address: 4F0FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F466CDC3DACh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F0FBD second address: 4F0FC3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F115D second address: 4F1164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F1462 second address: 4F1468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F1468 second address: 4F146E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F146E second address: 4F147E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jl 00007F466C525826h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F147E second address: 4F149A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F466CDC3DB7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F149A second address: 4F1507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F466C525839h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F466C525838h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push edi 0x0000001b pop edi 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007F466C525830h 0x00000023 jmp 00007F466C525837h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F1507 second address: 4F150F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F150F second address: 4F151D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F466C525826h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F1670 second address: 4F1674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F1674 second address: 4F1688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F466C52582Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 47E5BB second address: 47E5BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F1AAE second address: 4F1ACB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C525833h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F1ACB second address: 4F1AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466CDC3DAAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F1AD9 second address: 4F1ADF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F49AA second address: 4F49C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466CDC3DABh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F49C5 second address: 4F49CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4FA1BB second address: 4FA1C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F466CDC3DAAh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4FA1C9 second address: 4FA215 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007F466C525826h 0x00000009 pop edi 0x0000000a jns 00007F466C525828h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 pushad 0x0000001a jmp 00007F466C52582Dh 0x0000001f jmp 00007F466C525838h 0x00000024 popad 0x00000025 jng 00007F466C52582Eh 0x0000002b push edi 0x0000002c pop edi 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F8EB8 second address: 4F8EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F935E second address: 4F936F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466C52582Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F936F second address: 4F93A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466CDC3DABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jl 00007F466CDC3DA6h 0x00000010 jmp 00007F466CDC3DB9h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F98AA second address: 4F98AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F98AF second address: 4F98C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F466CDC3DA6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F98C0 second address: 4F98C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F887E second address: 4F8884 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4F8884 second address: 4F88A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F466C525834h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b jc 00007F466C525832h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4FF626 second address: 4FF65F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007F466CDC3DB1h 0x0000000c js 00007F466CDC3DCBh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F466CDC3DB7h 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 500025 second address: 500039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 ja 00007F466C525826h 0x0000000c jng 00007F466C525826h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 500039 second address: 500048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F466CDC3DAEh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 500524 second address: 500528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 500528 second address: 50053B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F466CDC3DADh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 50053B second address: 500540 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 500540 second address: 500546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 500546 second address: 50054C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 503861 second address: 503867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 503867 second address: 50386C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 509148 second address: 50914C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 50914C second address: 509155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 51048D second address: 510499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 510611 second address: 510617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 510617 second address: 51061D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 510AC3 second address: 510ACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F466C525826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 510C31 second address: 510C85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466CDC3DAAh 0x00000007 jmp 00007F466CDC3DB5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F466CDC3DB5h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 pop eax 0x00000018 pushad 0x00000019 jmp 00007F466CDC3DAEh 0x0000001e push eax 0x0000001f push edx 0x00000020 jp 00007F466CDC3DA6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 510C85 second address: 510C89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 510C89 second address: 510C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 510C8F second address: 510CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F466C52582Bh 0x0000000c jmp 00007F466C52582Dh 0x00000011 pop edx 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 510E20 second address: 510E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F466CDC3DA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 510E35 second address: 510E5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F466C525826h 0x00000009 jmp 00007F466C525835h 0x0000000e jp 00007F466C525826h 0x00000014 popad 0x00000015 push ecx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5169F4 second address: 5169F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5169F9 second address: 516A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F466C525826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 516A03 second address: 516A1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007F466CDC3DAEh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5151F8 second address: 5151FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5151FC second address: 515202 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 515202 second address: 515239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 jmp 00007F466C525837h 0x0000000d jg 00007F466C52582Ah 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jno 00007F466C525826h 0x0000001f jp 00007F466C525826h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 515239 second address: 51523D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5154CB second address: 5154D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5154D1 second address: 5154ED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F466CDC3DB3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5154ED second address: 5154F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5154F5 second address: 5154F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5154F9 second address: 51550D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F466C525832h 0x0000000c jg 00007F466C525826h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5159D9 second address: 5159E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F466CDC3DA6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4BD1FB second address: 4BD202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 515B2D second address: 515B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F466CDC3DA6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 51671D second address: 516745 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F466C525838h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 516745 second address: 51674B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 51674B second address: 516767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466C525836h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 516767 second address: 516770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 516770 second address: 516786 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jns 00007F466C525826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F466C52582Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 520B01 second address: 520B07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 520B07 second address: 520B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 51EA79 second address: 51EA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F466CDC3DAEh 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 51EA90 second address: 51EA9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 51EA9A second address: 51EA9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 51F034 second address: 51F039 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 51F039 second address: 51F067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F466CDC3DB9h 0x00000010 jg 00007F466CDC3DA6h 0x00000016 popad 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 51F952 second address: 51F973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466C525838h 0x00000009 popad 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 51F973 second address: 51F979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 51FF4C second address: 51FF5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007F466C525828h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 520221 second address: 52024B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466CDC3DB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F466CDC3DC2h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F466CDC3DAAh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 52024B second address: 52024F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5237DC second address: 5237E8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 ja 00007F466CDC3DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 523D54 second address: 523D69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52582Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 523D69 second address: 523D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 523D6D second address: 523D80 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F466C525826h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 523D80 second address: 523D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 523EA6 second address: 523EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 523EAE second address: 523EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 523EB4 second address: 523EB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 523EB8 second address: 523EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F466CDC3DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F466CDC3DACh 0x00000011 je 00007F466CDC3DAEh 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 528ADE second address: 528B08 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jne 00007F466C525826h 0x0000000d jns 00007F466C525826h 0x00000013 pop edi 0x00000014 popad 0x00000015 push ebx 0x00000016 jmp 00007F466C52582Ah 0x0000001b push eax 0x0000001c push edx 0x0000001d jl 00007F466C525826h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 528B08 second address: 528B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 52EC57 second address: 52EC69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F466C525826h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 52EDD7 second address: 52EDDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 52EF45 second address: 52EF51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F466C525826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 530133 second address: 53013D instructions: 0x00000000 rdtsc 0x00000002 js 00007F466CDC3DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 53013D second address: 530148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F466C525826h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 52E0B8 second address: 52E0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 52E0C3 second address: 52E0C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 52E0C7 second address: 52E0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 53A25A second address: 53A28B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466C52582Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F466C52582Dh 0x00000011 jmp 00007F466C525831h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 539FB8 second address: 539FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 539FBC second address: 539FC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 539FC0 second address: 539FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F466CDC3DA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 54AEC4 second address: 54AECE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F466C525826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 54AECE second address: 54AEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F466CDC3DB2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 54ABEC second address: 54AC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007F466C525826h 0x0000000c jmp 00007F466C52582Bh 0x00000011 jmp 00007F466C52582Dh 0x00000016 popad 0x00000017 jmp 00007F466C525837h 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 54AC2D second address: 54AC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466CDC3DAAh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c popad 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F466CDC3DABh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 54AC4F second address: 54AC53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 54AC53 second address: 54AC57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 54AC57 second address: 54AC5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 55A007 second address: 55A016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 55A016 second address: 55A01A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 55A01A second address: 55A028 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F466CDC3DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 55A028 second address: 55A02C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 559EB4 second address: 559EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 56217A second address: 562183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 562183 second address: 562187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5626F1 second address: 562709 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C525834h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 562709 second address: 562712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 562859 second address: 562873 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52582Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 562873 second address: 56287F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 562A05 second address: 562A0A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5662C2 second address: 5662DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466CDC3DB5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5662DB second address: 5662ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F466C525826h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5662ED second address: 5662F7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F466CDC3DA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5662F7 second address: 566313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F466C525836h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 565FA6 second address: 565FAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 56B3A7 second address: 56B3B1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F466C4F44C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 56B3B1 second address: 56B3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 56B3B7 second address: 56B3C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 56B3C1 second address: 56B3C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 577D0F second address: 577D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 577D15 second address: 577D20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 57B1D7 second address: 57B20D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44BDh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007F466C4F44BCh 0x00000011 pop edi 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F466C4F44C1h 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 57D2F5 second address: 57D2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 57D2FB second address: 57D30E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 ja 00007F466C4F44B6h 0x0000000c jns 00007F466C4F44B6h 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 57D30E second address: 57D336 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F466C52AC74h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F466C52AC5Ah 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 589AE9 second address: 589AED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 589AED second address: 589B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466C52AC68h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push ebx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 58960F second address: 58961A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F466C4F44B6h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 58961A second address: 58962B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F466C52AC5Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5897C1 second address: 5897CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5897CD second address: 5897D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5897D1 second address: 5897D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 59E98F second address: 59E9A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466C52AC5Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 59E9A2 second address: 59E9A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 59E9A6 second address: 59E9B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 59E9B2 second address: 59E9B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A30D4 second address: 5A30F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F466C52AC60h 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F466C52AC56h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A30F5 second address: 5A3111 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A21EE second address: 5A21F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A21F6 second address: 5A21FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A2383 second address: 5A2391 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F466C52AC6Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A2391 second address: 5A23A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466C4F44C2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A23A7 second address: 5A23AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A23AF second address: 5A23B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A23B3 second address: 5A23C1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F466C52AC5Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A23C1 second address: 5A23E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F466C4F44DEh 0x0000000c push edx 0x0000000d jmp 00007F466C4F44C2h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnl 00007F466C4F44B6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A2523 second address: 5A2542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466C52AC61h 0x00000009 jne 00007F466C52AC56h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A2542 second address: 5A2548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A2548 second address: 5A254E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A283A second address: 5A286B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466C4F44C8h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push esi 0x00000010 pop esi 0x00000011 js 00007F466C4F44B6h 0x00000017 jg 00007F466C4F44B6h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A470A second address: 5A473C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop esi 0x0000000b push edi 0x0000000c jl 00007F466C52AC56h 0x00000012 jmp 00007F466C52AC61h 0x00000017 pop edi 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F466C52AC5Ah 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A473C second address: 5A4740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A4740 second address: 5A4750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F466C52AC62h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A4750 second address: 5A4756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A4756 second address: 5A4789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F466C52AC69h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F466C52AC62h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A4789 second address: 5A4793 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F466C4F44B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A7172 second address: 5A7178 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A7680 second address: 5A7684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A8A9A second address: 5A8AA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A8AA0 second address: 5A8AC0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F466C4F44C7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A8AC0 second address: 5A8AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A8AC6 second address: 5A8ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5A8ACC second address: 5A8AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5AAA39 second address: 5AAA4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44BCh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 5AAA4C second address: 5AAA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 jnc 00007F466C52AC58h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F466C52AC64h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C90F57 second address: 4C90F5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60EF9 second address: 4C60F14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60F14 second address: 4C60F2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F466C4F44C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB006F second address: 4CB0087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F466C52AC64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0087 second address: 4CB008B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20AC1 second address: 4C20AC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20AC5 second address: 4C20ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20ACB second address: 4C20AE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 35FB36FFh 0x00000008 mov cl, 44h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F466C52AC5Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20AE8 second address: 4C20B1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F466C4F44C8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20B1A second address: 4C20B20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20B20 second address: 4C20B63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, ah 0x00000005 pushfd 0x00000006 jmp 00007F466C4F44C9h 0x0000000b or ah, 00000016h 0x0000000e jmp 00007F466C4F44C1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push ebx 0x0000001d pop esi 0x0000001e mov dx, DBAAh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20B63 second address: 4C20B80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20B80 second address: 4C20B84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20B84 second address: 4C20B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20B8A second address: 4C20BAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20BE3 second address: 4C20BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20BE7 second address: 4C20BED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20BED second address: 4C20BFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F466C52AC5Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C20BFC second address: 4C20C2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F466C4F44BDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C50C3D second address: 4C50C42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C50C42 second address: 4C50C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ch, bh 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F466C4F44BCh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F466C4F44BCh 0x00000018 mov ah, 81h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C50C6B second address: 4C50C8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F466C52AC5Ah 0x00000009 sbb al, 00000078h 0x0000000c jmp 00007F466C52AC5Bh 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C50C8A second address: 4C50CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 mov ah, 84h 0x0000000b mov edi, 2F2480F2h 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F466C4F44C1h 0x0000001c xor cx, 2DC6h 0x00000021 jmp 00007F466C4F44C1h 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C50CCA second address: 4C50CD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C50CD0 second address: 4C50CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA07AC second address: 4CA07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA07B1 second address: 4CA07D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F466C4F44C0h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA07D8 second address: 4CA07DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0750 second address: 4CA076C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA04BC second address: 4CA04C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA04C2 second address: 4CA04C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA04C6 second address: 4CA04CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA04CA second address: 4CA0503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F466C4F44C6h 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F466C4F44C0h 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0503 second address: 4CA0533 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F466C52AC5Ah 0x00000008 jmp 00007F466C52AC65h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ebx, esi 0x00000012 popad 0x00000013 pop ebp 0x00000014 pushad 0x00000015 pushad 0x00000016 movzx esi, dx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60CCC second address: 4C60CE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F466C4F44C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60CE4 second address: 4C60D30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F466C52AC5Bh 0x00000014 pushfd 0x00000015 jmp 00007F466C52AC68h 0x0000001a add ecx, 297240E8h 0x00000020 jmp 00007F466C52AC5Bh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60D30 second address: 4C60D66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F466C4F44C1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60D66 second address: 4C60D6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60D6C second address: 4C60D94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F466C4F44C0h 0x00000009 and ecx, 073F38D8h 0x0000000f jmp 00007F466C4F44BBh 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60D94 second address: 4C60DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F466C52AC61h 0x00000011 push esi 0x00000012 pop edi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60DB4 second address: 4C60E0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 pushfd 0x00000007 jmp 00007F466C4F44C4h 0x0000000c sub eax, 1EC57D98h 0x00000012 jmp 00007F466C4F44BBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f movsx edi, si 0x00000022 pushfd 0x00000023 jmp 00007F466C4F44BCh 0x00000028 add ax, A7F8h 0x0000002d jmp 00007F466C4F44BBh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60E0A second address: 4C60E10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0B29 second address: 4CA0B44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov edx, 66EA7EB2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0B44 second address: 4CA0BCF instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F466C52AC63h 0x00000008 xor esi, 504538AEh 0x0000000e jmp 00007F466C52AC69h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 call 00007F466C52AC60h 0x0000001b pushfd 0x0000001c jmp 00007F466C52AC62h 0x00000021 or ah, 00000058h 0x00000024 jmp 00007F466C52AC5Bh 0x00000029 popfd 0x0000002a pop eax 0x0000002b popad 0x0000002c xchg eax, ebp 0x0000002d jmp 00007F466C52AC5Fh 0x00000032 mov ebp, esp 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov ebx, 1A3AD8F6h 0x0000003c mov dx, 8E82h 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0BCF second address: 4CA0BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0BD5 second address: 4CA0BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0BD9 second address: 4CA0BEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0BEA second address: 4CA0BF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0BF0 second address: 4CA0BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0BF6 second address: 4CA0C19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and dword ptr [eax], 00000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F466C52AC5Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0C19 second address: 4CA0C28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C50B76 second address: 4C50BCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d movzx eax, dx 0x00000010 mov al, bl 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F466C52AC64h 0x0000001b and cx, 0698h 0x00000020 jmp 00007F466C52AC5Bh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F466C52AC65h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C50BCA second address: 4C50BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C50BD0 second address: 4C50BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C50BD4 second address: 4C50BD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C50BD8 second address: 4C50BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F466C52AC5Fh 0x0000000f pop ebp 0x00000010 pushad 0x00000011 mov ebx, ecx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA001B second address: 4CA0021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0021 second address: 4CA0025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0025 second address: 4CA0029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0029 second address: 4CA0047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F466C52AC63h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0047 second address: 4CA004C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA004C second address: 4CA0083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edx, ax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F466C52AC5Ah 0x00000014 sub eax, 44D474C8h 0x0000001a jmp 00007F466C52AC5Bh 0x0000001f popfd 0x00000020 mov dx, ax 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0083 second address: 4CA0087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0087 second address: 4CA008D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA008D second address: 4CA00A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F466C4F44C5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0982 second address: 4CA0986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CA0986 second address: 4CA098C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C80E89 second address: 4C80EDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F466C52AC5Bh 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007F466C52AC69h 0x00000019 and ecx, 111BEEA6h 0x0000001f jmp 00007F466C52AC61h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C70B20 second address: 4C70B44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F466C4F44C0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C70B44 second address: 4C70B53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C70B53 second address: 4C70B59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C70B59 second address: 4C70B6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F466C52AC5Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C70B6F second address: 4C70BB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F466C4F44C6h 0x00000011 and dword ptr [eax], 00000000h 0x00000014 pushad 0x00000015 mov cx, 912Dh 0x00000019 mov ecx, 0CCF1329h 0x0000001e popad 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F466C4F44BBh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C70BB3 second address: 4C70BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C70BB9 second address: 4C70BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C30011 second address: 4C30068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F466C52AC67h 0x00000009 sub cx, CF9Eh 0x0000000e jmp 00007F466C52AC69h 0x00000013 popfd 0x00000014 mov ah, EFh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov eax, edi 0x0000001f jmp 00007F466C52AC61h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C30068 second address: 4C30119 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F466C4F44C7h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F466C4F44C9h 0x0000000f add si, 9896h 0x00000014 jmp 00007F466C4F44C1h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [esp], ebp 0x00000020 pushad 0x00000021 mov cx, 1EA3h 0x00000025 pushfd 0x00000026 jmp 00007F466C4F44C8h 0x0000002b adc ah, FFFFFFE8h 0x0000002e jmp 00007F466C4F44BBh 0x00000033 popfd 0x00000034 popad 0x00000035 mov ebp, esp 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007F466C4F44BBh 0x00000040 sub ah, 0000002Eh 0x00000043 jmp 00007F466C4F44C9h 0x00000048 popfd 0x00000049 push ecx 0x0000004a pop ebx 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C30119 second address: 4C30142 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d mov si, 1243h 0x00000011 mov eax, 6A278F9Fh 0x00000016 popad 0x00000017 xchg eax, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov cx, dx 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C30142 second address: 4C3019D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F466C4F44C4h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F466C4F44BBh 0x0000000f or ch, 0000004Eh 0x00000012 jmp 00007F466C4F44C9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c jmp 00007F466C4F44C1h 0x00000021 xchg eax, ecx 0x00000022 pushad 0x00000023 push ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C3019D second address: 4C301BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F466C52AC67h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C301BD second address: 4C301DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e jmp 00007F466C4F44BAh 0x00000013 mov ebx, dword ptr [ebp+10h] 0x00000016 pushad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C301DC second address: 4C301F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dl, ch 0x00000007 popad 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov ax, B1CDh 0x0000000e call 00007F466C52AC5Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C301F6 second address: 4C3020B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F466C4F44BAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C3020B second address: 4C3024E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c jmp 00007F466C52AC66h 0x00000011 xchg eax, edi 0x00000012 pushad 0x00000013 mov bl, al 0x00000015 movsx edi, ax 0x00000018 popad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F466C52AC60h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C3024E second address: 4C302C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F466C4F44C6h 0x0000000f test esi, esi 0x00000011 pushad 0x00000012 mov ecx, 6C0AF54Dh 0x00000017 pushfd 0x00000018 jmp 00007F466C4F44BAh 0x0000001d sbb ch, 00000068h 0x00000020 jmp 00007F466C4F44BBh 0x00000025 popfd 0x00000026 popad 0x00000027 je 00007F46DF652834h 0x0000002d jmp 00007F466C4F44C6h 0x00000032 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C302C0 second address: 4C302C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C302C4 second address: 4C302C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C302C8 second address: 4C302CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C302CE second address: 4C302D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60008 second address: 4C6000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C6000E second address: 4C60035 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F466C4F44BAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60035 second address: 4C60039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60039 second address: 4C6003F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C6003F second address: 4C600E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F466C52AC5Ah 0x0000000b adc ax, 2C98h 0x00000010 jmp 00007F466C52AC5Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a jmp 00007F466C52AC69h 0x0000001f xchg eax, ebp 0x00000020 jmp 00007F466C52AC5Eh 0x00000025 mov ebp, esp 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F466C52AC5Eh 0x0000002e and ax, 3158h 0x00000033 jmp 00007F466C52AC5Bh 0x00000038 popfd 0x00000039 pushad 0x0000003a mov al, 78h 0x0000003c pushad 0x0000003d popad 0x0000003e popad 0x0000003f popad 0x00000040 and esp, FFFFFFF8h 0x00000043 jmp 00007F466C52AC67h 0x00000048 xchg eax, ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F466C52AC65h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C600E8 second address: 4C600EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C600EE second address: 4C600F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C600F2 second address: 4C6012D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F466C4F44BBh 0x00000012 add al, FFFFFFDEh 0x00000015 jmp 00007F466C4F44C9h 0x0000001a popfd 0x0000001b mov eax, 452201A7h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C6012D second address: 4C6014C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 push esi 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d mov bx, ax 0x00000010 mov edi, ecx 0x00000012 popad 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 movsx edi, ax 0x0000001a mov si, B87Fh 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C6014C second address: 4C60152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60152 second address: 4C60199 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F466C52AC69h 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F466C52AC5Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60199 second address: 4C601F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 pushfd 0x00000006 jmp 00007F466C4F44C3h 0x0000000b xor si, 85BEh 0x00000010 jmp 00007F466C4F44C9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov esi, dword ptr [ebp+08h] 0x0000001c jmp 00007F466C4F44BEh 0x00000021 sub ebx, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F466C4F44BCh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C601F5 second address: 4C60250 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dh 0x00000005 pushfd 0x00000006 jmp 00007F466C52AC5Ah 0x0000000b sbb cx, 8918h 0x00000010 jmp 00007F466C52AC5Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test esi, esi 0x0000001b pushad 0x0000001c mov cx, E2EBh 0x00000020 pushfd 0x00000021 jmp 00007F466C52AC60h 0x00000026 sub eax, 076A7378h 0x0000002c jmp 00007F466C52AC5Bh 0x00000031 popfd 0x00000032 popad 0x00000033 je 00007F46DF650DA0h 0x00000039 pushad 0x0000003a mov edi, ecx 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60388 second address: 4C60399 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov cl, bh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60399 second address: 4C6039D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C6039D second address: 4C603A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60436 second address: 4C60462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a pushad 0x0000000b mov dx, 7DCEh 0x0000000f popad 0x00000010 mov esp, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C60462 second address: 4C60468 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C504C7 second address: 4C504CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C504CD second address: 4C50518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov al, E9h 0x00000007 popad 0x00000008 push esp 0x00000009 jmp 00007F466C4F44C4h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F466C4F44BDh 0x0000001a sbb cx, 7FA6h 0x0000001f jmp 00007F466C4F44C1h 0x00000024 popfd 0x00000025 mov dl, cl 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C50185 second address: 4C501E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F466C52AC61h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F466C52AC5Ch 0x00000017 sbb ah, 00000078h 0x0000001a jmp 00007F466C52AC5Bh 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 jmp 00007F466C52AC5Ch 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4C501E7 second address: 4C501FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov ax, 68A1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CC0887 second address: 4CC0899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F466C52AC5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CC0899 second address: 4CC08C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov edx, ecx 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F466C4F44BCh 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CC08C3 second address: 4CC08C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CC08C7 second address: 4CC08CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB09A5 second address: 4CB09A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB09A9 second address: 4CB09AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB09AF second address: 4CB09D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 01541B21h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F466C52AC62h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB09D1 second address: 4CB09D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB09D5 second address: 4CB09DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB09DB second address: 4CB09E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB09E1 second address: 4CB0A06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0A06 second address: 4CB0A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0A0A second address: 4CB0A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0A0E second address: 4CB0A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0A14 second address: 4CB0A1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0A1A second address: 4CB0A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0A1E second address: 4CB0A7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F466C52AC5Dh 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 call 00007F466C52AC63h 0x00000018 pop ecx 0x00000019 pushfd 0x0000001a jmp 00007F466C52AC69h 0x0000001f and ah, 00000076h 0x00000022 jmp 00007F466C52AC61h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB06D4 second address: 4CB06DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edx, si 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB06DC second address: 4CB06E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB06E2 second address: 4CB0712 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F466C4F44C8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0712 second address: 4CB0716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0716 second address: 4CB071C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB071C second address: 4CB072D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F466C52AC5Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB072D second address: 4CB0731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0731 second address: 4CB0740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0740 second address: 4CB0744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0744 second address: 4CB075D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB075D second address: 4CB0791 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F466C4F44BEh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F466C4F44BAh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0791 second address: 4CB07A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB07A0 second address: 4CB07C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB07C4 second address: 4CB07C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB07C8 second address: 4CB07DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C4F44BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB07DB second address: 4CB07E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0C77 second address: 4CB0C7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0C7D second address: 4CB0CA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F466C52AC5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F466C52AC60h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0CA3 second address: 4CB0CA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe RDTSC instruction interceptor: First address: 4CB0CA9 second address: 4CB0D1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F466C52AC5Ch 0x00000009 and eax, 120665D8h 0x0000000f jmp 00007F466C52AC5Bh 0x00000014 popfd 0x00000015 jmp 00007F466C52AC68h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 movzx eax, dx 0x00000024 pushfd 0x00000025 jmp 00007F466C52AC69h 0x0000002a sbb ah, FFFFFFD6h 0x0000002d jmp 00007F466C52AC61h 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Special instruction interceptor: First address: 3128EA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Special instruction interceptor: First address: 3129AB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Special instruction interceptor: First address: 31293E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Special instruction interceptor: First address: 4B3F14 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Special instruction interceptor: First address: 4B3BAA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Special instruction interceptor: First address: 4D95F4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Special instruction interceptor: First address: 4BC737 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Special instruction interceptor: First address: 53B846 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: C028EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: C029AB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: C0293E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: DA3F14 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: DA3BAA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: DC95F4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: DAC737 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: E2B846 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Code function: 0_2_04CB0C18 rdtsc 0_2_04CB0C18
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window / User API: threadDelayed 476 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window / User API: threadDelayed 2243 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window / User API: threadDelayed 2211 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8156 Thread sleep count: 54 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8156 Thread sleep time: -108054s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8164 Thread sleep count: 46 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8164 Thread sleep time: -92046s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8120 Thread sleep count: 476 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8120 Thread sleep time: -14280000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 4120 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8148 Thread sleep count: 2243 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8148 Thread sleep time: -4488243s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8144 Thread sleep count: 2211 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8144 Thread sleep time: -4424211s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8160 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8160 Thread sleep time: -90045s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: rapes.exe, rapes.exe, 0000000C.00000002.2097126875.0000000000D82000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: wy6S9pbZsY.exe, 00000000.00000002.926322045.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\X7
Source: rapes.exe, 0000000C.00000002.2096177907.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000C.00000002.2096177907.0000000000908000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wy6S9pbZsY.exe, 00000000.00000002.924972432.0000000000492000.00000040.00000001.01000000.00000003.sdmp, rapes.exe, 00000002.00000002.965140204.0000000000D82000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 00000003.00000002.975295753.0000000000D82000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 0000000C.00000002.2097126875.0000000000D82000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Code function: 0_2_04CB0C18 rdtsc 0_2_04CB0C18
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BC5FF2 mov eax, dword ptr fs:[00000030h] 12_2_00BC5FF2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BBDB60 mov eax, dword ptr fs:[00000030h] 12_2_00BBDB60
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\wy6S9pbZsY.exe Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
Source: rapes.exe, rapes.exe, 0000000C.00000002.2097126875.0000000000D82000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BB9AB5 cpuid 12_2_00BB9AB5
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00BB93A7 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 12_2_00BB93A7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Code function: 12_2_00B961F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegEnumValueA,DeleteObject,DeleteObject,DeleteObject,LookupAccountNameA, 12_2_00B961F0

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys Clipper DLL
Source: Yara match File source: 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.965069438.0000000000B91000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.934824587.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.924500851.00000000002A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.924592214.0000000005380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2096872355.0000000000B91000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1331078876.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.883491473.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Contains functionality to start a terminal service
Source: wy6S9pbZsY.exe String found in binary or memory: net start termservice
Source: wy6S9pbZsY.exe, 00000000.00000002.924500851.00000000002A1000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: net start termservice
Source: wy6S9pbZsY.exe, 00000000.00000002.924500851.00000000002A1000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: wy6S9pbZsY.exe, 00000000.00000003.883491473.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: wy6S9pbZsY.exe, 00000000.00000003.883491473.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.965069438.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.965069438.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000002.00000003.924592214.0000000005380000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000003.924592214.0000000005380000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe String found in binary or memory: net start termservice
Source: rapes.exe, 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 00000003.00000002.975223437.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000003.00000003.934824587.0000000005190000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 00000003.00000003.934824587.0000000005190000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe String found in binary or memory: net start termservice
Source: rapes.exe, 0000000C.00000002.2096872355.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 0000000C.00000002.2096872355.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000C.00000003.1331078876.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 0000000C.00000003.1331078876.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1648795 Sample: wy6S9pbZsY.exe Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 24 Found malware configuration 2->24 26 Antivirus detection for URL or domain 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 7 other signatures 2->30 6 wy6S9pbZsY.exe 5 2->6         started        10 rapes.exe 12 2->10         started        13 rapes.exe 2->13         started        process3 dnsIp4 18 C:\Users\user\AppData\Local\...\rapes.exe, PE32 6->18 dropped 20 C:\Users\user\...\rapes.exe:Zone.Identifier, ASCII 6->20 dropped 32 Detected unpacking (changes PE section rights) 6->32 34 Contains functionality to start a terminal service 6->34 36 Tries to evade debugger and weak emulator (self modifying code) 6->36 38 Tries to detect virtualization through RDTSC time measurements 6->38 15 rapes.exe 6->15         started        22 176.113.115.6, 80 SELECTELRU Russian Federation 10->22 40 Hides threads from debuggers 10->40 42 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->42 44 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->44 file5 signatures6 process7 signatures8 46 Antivirus detection for dropped file 15->46 48 Multi AV Scanner detection for dropped file 15->48 50 Detected unpacking (changes PE section rights) 15->50 52 6 other signatures 15->52
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
176.113.115.6
 unknown Russian Federation
49505 SELECTELRU true