Windows Analysis Report
BakvzfVilG.exe

Overview

General Information

Sample name:	BakvzfVilG.exe renamed because original name is a hash value
Original sample name:	05c8f3700c6327871c199be6417c5c9c.exe
Analysis ID:	1648799
MD5:	05c8f3700c6327871c199be6417c5c9c
SHA1:	8f4862310762601e271ac27535382d5c7ed740e7
SHA256:	18cd20dd8567ce6137508f9dece0571f32741ddaa15d8884ad090a4dce7bab1a
Tags:	exeuser-abuse_ch
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadey

Yara detected Amadeys Clipper DLL

C2 URLs / IPs found in malware configuration

Contains functionality to start a terminal service

Hides threads from debuggers

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BakvzfVilG.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: BakvzfVilG.exe	Virustotal: Detection: 60%			Perma Link
Source: BakvzfVilG.exe	ReversingLabs: Detection: 63%

Sample uses string decryption to hide its real strings

Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 176.113.115.6
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Ni9kiput/index.php
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bb556cff4a
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapes.exe
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: http://
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: https://
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ------
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: random
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Keyboard Layout\Preload
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000419
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000422
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000423
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0000043f

Uses 32bit PE files

Source: BakvzfVilG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 176.113.115.6

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 176.113.115.6 176.113.115.6
Source: Joe Sandbox View	IP Address: 176.113.115.6 176.113.115.6

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SELECTELRU SELECTELRU

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.6:49699 -> 176.113.115.6:80

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 11_2_000D2710 recv,recv,recv,recv,

11_2_000D2710

Source: rapes.exe, 0000000B.00000002.2462059724.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6
Source: rapes.exe, 0000000B.00000002.2462059724.0000000001459000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2462059724.0000000001470000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2462059724.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php
Source: rapes.exe, 0000000B.00000002.2462059724.0000000001470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpK

System Summary

PE file contains section with special chars

Source: BakvzfVilG.exe	Static PE information: section name:
Source: BakvzfVilG.exe	Static PE information: section name: .idata
Source: BakvzfVilG.exe	Static PE information: section name:
Source: rapes.exe.1.dr	Static PE information: section name:
Source: rapes.exe.1.dr	Static PE information: section name: .idata
Source: rapes.exe.1.dr	Static PE information: section name:

Creates files inside the system directory

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9	7_1_002B06B9
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B2ABD	7_1_002B2ABD
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_001BDABD	7_1_001BDABD
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_00258695	7_1_00258695
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002A6E92	7_1_002A6E92
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0029E290	7_1_0029E290
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_001328D3	7_1_001328D3
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002AECE7	7_1_002AECE7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002A32F1	7_1_002A32F1
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002A4ED9	7_1_002A4ED9
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_00182D1A	7_1_00182D1A
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002AD125	7_1_002AD125
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002A1939	7_1_002A1939
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0014E93E	7_1_0014E93E
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0029FD47	7_1_0029FD47
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0025C9AA	7_1_0025C9AA
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0020D985	7_1_0020D985
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_00217FC7	7_1_00217FC7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0029ADC4	7_1_0029ADC4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0029C7D7	7_1_0029C7D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_001F6DE0	7_1_001F6DE0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000C61F0	11_2_000C61F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000CB700	11_2_000CB700
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000F2C20	11_2_000F2C20
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000CCC40	11_2_000CCC40
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00104047	11_2_00104047
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000C5450	11_2_000C5450
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00105CD4	11_2_00105CD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_001018D7	11_2_001018D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000EB4C0	11_2_000EB4C0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000C51A0	11_2_000C51A0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00105DF4	11_2_00105DF4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000FC6DD	11_2_000FC6DD
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000EF6DB	11_2_000EF6DB
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000C4EF0	11_2_000C4EF0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000D7320	11_2_000D7320

Uses 32bit PE files

Source: BakvzfVilG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: BakvzfVilG.exe	Static PE information: Section: ZLIB complexity 0.9984880767906336
Source: BakvzfVilG.exe	Static PE information: Section: uwpmtuor ZLIB complexity 0.9947662175466745
Source: rapes.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9984880767906336
Source: rapes.exe.1.dr	Static PE information: Section: uwpmtuor ZLIB complexity 0.9947662175466745

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@0/1

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File created: C:\Users\user\AppData\Local\Temp\bb556cff4a

Jump to behavior

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BakvzfVilG.exe	Virustotal: Detection: 60%
Source: BakvzfVilG.exe	ReversingLabs: Detection: 63%

Source: BakvzfVilG.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: BakvzfVilG.exe	String found in binary or memory: " /add
Source: BakvzfVilG.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File read: C:\Users\user\Desktop\BakvzfVilG.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BakvzfVilG.exe "C:\Users\user\Desktop\BakvzfVilG.exe"
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: BakvzfVilG.exe

Static file information: File size 1957376 > 1048576

Source: BakvzfVilG.exe

Static PE information: Raw size of uwpmtuor is bigger than: 0x100000 < 0x1ac800

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\BakvzfVilG.exe	Unpacked PE file: 1.2.BakvzfVilG.exe.6f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 5.2.rapes.exe.c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 7.2.rapes.exe.c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 11.2.rapes.exe.c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: rapes.exe.1.dr	Static PE information: real checksum: 0x1e87d0 should be: 0x1e3e95
Source: BakvzfVilG.exe	Static PE information: real checksum: 0x1e87d0 should be: 0x1e3e95

PE file contains sections with non-standard names

Source: BakvzfVilG.exe	Static PE information: section name:
Source: BakvzfVilG.exe	Static PE information: section name: .idata
Source: BakvzfVilG.exe	Static PE information: section name:
Source: BakvzfVilG.exe	Static PE information: section name: uwpmtuor
Source: BakvzfVilG.exe	Static PE information: section name: gmcyadkd
Source: BakvzfVilG.exe	Static PE information: section name: .taggant
Source: rapes.exe.1.dr	Static PE information: section name:
Source: rapes.exe.1.dr	Static PE information: section name: .idata
Source: rapes.exe.1.dr	Static PE information: section name:
Source: rapes.exe.1.dr	Static PE information: section name: uwpmtuor
Source: rapes.exe.1.dr	Static PE information: section name: gmcyadkd
Source: rapes.exe.1.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0013305C push ebx; mov dword ptr [esp], ebp	7_1_0013386D
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_00168E53 push edx; mov dword ptr [esp], esi	7_1_00168EB7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_00133256 push es; iretd	7_1_0013325C
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_001AE660 push ebx; mov dword ptr [esp], ecx	7_1_001AE6B7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_001AE660 push edi; mov dword ptr [esp], eax	7_1_001AE6C3
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_001AE660 push 78820BECh; mov dword ptr [esp], ebx	7_1_001AE76A
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 430F6AA4h; mov dword ptr [esp], edx	7_1_002B0756
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push edi; mov dword ptr [esp], edx	7_1_002B07CC
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push esi; mov dword ptr [esp], ebx	7_1_002B0814
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 4E51E949h; mov dword ptr [esp], edi	7_1_002B0907
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 5C895FA7h; mov dword ptr [esp], eax	7_1_002B0929
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push edx; mov dword ptr [esp], eax	7_1_002B094D
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 27258900h; mov dword ptr [esp], ecx	7_1_002B09A4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 3F364B17h; mov dword ptr [esp], ecx	7_1_002B0A33
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push ebx; mov dword ptr [esp], esp	7_1_002B0A3A
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 6ED87777h; mov dword ptr [esp], edx	7_1_002B0A42
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push edx; mov dword ptr [esp], ebp	7_1_002B0A7C
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push eax; mov dword ptr [esp], 6B743C37h	7_1_002B0B46
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push edi; mov dword ptr [esp], eax	7_1_002B0B7F
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 512C546Eh; mov dword ptr [esp], esi	7_1_002B0BD3
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 18D7BFF5h; mov dword ptr [esp], edx	7_1_002B0C3B
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push ebp; mov dword ptr [esp], edx	7_1_002B0CF5
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 48AFA766h; mov dword ptr [esp], ecx	7_1_002B0D71
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push edi; mov dword ptr [esp], ebp	7_1_002B0DBE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push edx; mov dword ptr [esp], ecx	7_1_002B0E11
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 225A862Ah; mov dword ptr [esp], ecx	7_1_002B0E2C
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push eax; mov dword ptr [esp], 573A68A6h	7_1_002B0E46
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 2E7D3D3Fh; mov dword ptr [esp], edi	7_1_002B0E91
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 1E764E22h; mov dword ptr [esp], ecx	7_1_002B0E99
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 358A7646h; mov dword ptr [esp], ebx	7_1_002B0EF6
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 5C31EEE1h; mov dword ptr [esp], esi	7_1_002B0F13

Source: BakvzfVilG.exe	Static PE information: section name: entropy: 7.980062958503209
Source: BakvzfVilG.exe	Static PE information: section name: uwpmtuor entropy: 7.9540224982484675
Source: rapes.exe.1.dr	Static PE information: section name: entropy: 7.980062958503209
Source: rapes.exe.1.dr	Static PE information: section name: uwpmtuor entropy: 7.9540224982484675

Drops PE files

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\BakvzfVilG.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E9F17 second address: 8E9F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E9F1B second address: 8E9F25 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0714538B96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E9F25 second address: 8E9F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E8EEC second address: 8E8EF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E8EF0 second address: 8E8F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jp 00007F0714AED256h 0x00000011 jl 00007F0714AED256h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E8F08 second address: 8E8F0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E8F0D second address: 8E8F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E91BA second address: 8E91F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0714538BA7h 0x0000000b jmp 00007F0714538BA9h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E94C0 second address: 8E94D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F0714AED261h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E94D6 second address: 8E94DB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB1D6 second address: 8EB1E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0714AED256h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB24F second address: 8EB2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jmp 00007F0714538BA6h 0x0000000b pop eax 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 jnp 00007F0714538B9Ch 0x00000016 add edx, dword ptr [ebp+122D1A21h] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F0714538B98h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 pushad 0x00000039 cld 0x0000003a jl 00007F0714538B99h 0x00000040 movsx eax, ax 0x00000043 popad 0x00000044 call 00007F0714538BA7h 0x00000049 mov edx, dword ptr [ebp+122D2C41h] 0x0000004f pop edx 0x00000050 call 00007F0714538B99h 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB2D8 second address: 8EB2FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jo 00007F0714533646h 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 jbe 00007F071453365Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F071453364Ch 0x0000001d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB2FC second address: 8EB300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB300 second address: 8EB327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jno 00007F0714533648h 0x00000011 jnp 00007F071453364Ch 0x00000017 jc 00007F0714533646h 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB327 second address: 8EB335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F0714AED096h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB335 second address: 8EB3E8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jmp 00007F0714533655h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b popad 0x0000001c pop eax 0x0000001d mov dword ptr [ebp+122D19C9h], edi 0x00000023 push 00000003h 0x00000025 or edi, dword ptr [ebp+122D2B41h] 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e mov ecx, dword ptr [ebp+122D2B5Dh] 0x00000034 pop edi 0x00000035 push 00000003h 0x00000037 mov dword ptr [ebp+122D1803h], ecx 0x0000003d push A27C89EDh 0x00000042 jns 00007F0714533659h 0x00000048 xor dword ptr [esp], 627C89EDh 0x0000004f mov dword ptr [ebp+122D1AC9h], eax 0x00000055 lea ebx, dword ptr [ebp+1245C130h] 0x0000005b mov edi, dword ptr [ebp+122D2ACDh] 0x00000061 jmp 00007F0714533658h 0x00000066 xchg eax, ebx 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007F0714533654h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB3E8 second address: 8EB41A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F0714AED0AAh 0x00000012 jmp 00007F0714AED0A4h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB483 second address: 8EB4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F0714533648h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D312Ch], edi 0x0000002b push 00000000h 0x0000002d jmp 00007F0714533658h 0x00000032 call 00007F0714533649h 0x00000037 push ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB4E0 second address: 8EB4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB4E4 second address: 8EB4FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0714533651h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB4FF second address: 8EB509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0714AED096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB509 second address: 8EB5F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jg 00007F071453364Ah 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007F0714533651h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e jp 00007F0714533648h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 jmp 00007F0714533658h 0x0000002b popad 0x0000002c pop eax 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007F0714533648h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000016h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 push 00000003h 0x00000049 jmp 00007F071453364Ah 0x0000004e push 00000000h 0x00000050 stc 0x00000051 push 00000003h 0x00000053 jmp 00007F0714533658h 0x00000058 mov ecx, dword ptr [ebp+122D2C51h] 0x0000005e call 00007F0714533649h 0x00000063 jnl 00007F0714533669h 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c pushad 0x0000006d push ecx 0x0000006e pop ecx 0x0000006f jmp 00007F0714533652h 0x00000074 popad 0x00000075 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB5F1 second address: 8EB609 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F0714AED096h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB609 second address: 8EB60D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB60D second address: 8EB613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB613 second address: 8EB618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB751 second address: 8EB790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 jbe 00007F0714AED0A2h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jp 00007F0714AED0ACh 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB8B1 second address: 8EB8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0714533646h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB8BC second address: 8EB8C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F0714AED096h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8FDB69 second address: 8FDB6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8FDB6E second address: 8FDB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90B491 second address: 90B4CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F071453364Ah 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0714533651h 0x00000014 je 00007F071453365Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90B64E second address: 90B653 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90B653 second address: 90B659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90B659 second address: 90B687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0714AED0A7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F0714AED0C1h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 jns 00007F0714AED096h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90B92E second address: 90B934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90BEC6 second address: 90BED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED09Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90BED8 second address: 90BEF5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F0714533648h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007F0714533652h 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90C199 second address: 90C19D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90C19D second address: 90C1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90C1AB second address: 90C1AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90C2E1 second address: 90C2E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90015D second address: 900163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 900163 second address: 900168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8CC2F2 second address: 8CC2F7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8CC2F7 second address: 8CC2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90CB13 second address: 90CB1D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0714AED09Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90CF41 second address: 90CF58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F071453364Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90CF58 second address: 90CF86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A6h 0x00000007 jmp 00007F0714AED0A4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8DB196 second address: 8DB1A0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8DB1A0 second address: 8DB1A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8DB1A4 second address: 8DB1AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 911DB5 second address: 911DB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 911DB9 second address: 911DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 911DC3 second address: 911DD4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jbe 00007F0714AED09Eh 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91202E second address: 912037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 912037 second address: 91203B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91203B second address: 912061 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F071453364Ch 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 push edi 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 jbe 00007F0714533646h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 913E71 second address: 913E82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8D7E84 second address: 8D7E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8D7E8C second address: 8D7EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pushad 0x0000000b push edx 0x0000000c jmp 00007F0714AED0A7h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91A323 second address: 91A328 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91996F second address: 919975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91B804 second address: 91B8B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F0714533657h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push esi 0x0000000f push ecx 0x00000010 jmp 00007F0714533657h 0x00000015 pop ecx 0x00000016 pop esi 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b ja 00007F0714533657h 0x00000021 mov eax, dword ptr [eax] 0x00000023 jnc 00007F0714533660h 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d jmp 00007F0714533652h 0x00000032 pop eax 0x00000033 jmp 00007F0714533651h 0x00000038 call 00007F0714533649h 0x0000003d push eax 0x0000003e push edx 0x0000003f jng 00007F0714533648h 0x00000045 push edx 0x00000046 pop edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91B8B7 second address: 91B8BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91B8BD second address: 91B920 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533651h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F071453364Fh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jno 00007F0714533665h 0x0000001b mov eax, dword ptr [eax] 0x0000001d pushad 0x0000001e jng 00007F0714533648h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 js 00007F0714533646h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91B920 second address: 91B93A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0714AED096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jo 00007F0714AED0A0h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91BD81 second address: 91BD85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91BD85 second address: 91BD89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91BD89 second address: 91BD8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91C56B second address: 91C57D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xchg eax, ebx 0x00000007 mov dword ptr [ebp+122D1AB0h], eax 0x0000000d nop 0x0000000e push edi 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91C57D second address: 91C59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F0714533650h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91C7BB second address: 91C7C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91C891 second address: 91C896 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91CADD second address: 91CB00 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0714AED09Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jnl 00007F0714AED097h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 jo 00007F0714AED096h 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91D8CB second address: 91D8DC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0714533648h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91D737 second address: 91D749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED09Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91E9A0 second address: 91EA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jnc 00007F071453364Bh 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F0714533648h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b jmp 00007F0714533650h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007F0714533648h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000017h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c xchg eax, ebx 0x0000004d push eax 0x0000004e push edx 0x0000004f ja 00007F0714533648h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91EA0F second address: 91EA2D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0714AED0A3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91EA2D second address: 91EA33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91EA33 second address: 91EA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91F465 second address: 91F4A2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0714533655h 0x00000008 jmp 00007F071453364Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 sub dword ptr [ebp+1245CA18h], esi 0x00000018 push 00000000h 0x0000001a or si, 3772h 0x0000001f push 00000000h 0x00000021 cld 0x00000022 sub edi, 4B6DBD13h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push ecx 0x0000002c jng 00007F0714533646h 0x00000032 pop ecx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91FE8E second address: 91FEA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED09Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91FEA0 second address: 91FF06 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f or dword ptr [ebp+122D56B2h], esi 0x00000015 push 00000000h 0x00000017 pushad 0x00000018 call 00007F0714533652h 0x0000001d cld 0x0000001e pop eax 0x0000001f mov ax, di 0x00000022 popad 0x00000023 mov dword ptr [ebp+122D1BB4h], eax 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F0714533648h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 mov edi, dword ptr [ebp+122D17F0h] 0x0000004b push eax 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9215EA second address: 9215F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9215F0 second address: 9215F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 924CE2 second address: 924CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9262C0 second address: 9262C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 925419 second address: 9254C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0714AED09Ah 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F0714AED0A2h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F0714AED098h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e push dword ptr fs:[00000000h] 0x00000035 add dword ptr [ebp+12457254h], edx 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 push 00000000h 0x00000044 push ebp 0x00000045 call 00007F0714AED098h 0x0000004a pop ebp 0x0000004b mov dword ptr [esp+04h], ebp 0x0000004f add dword ptr [esp+04h], 00000018h 0x00000057 inc ebp 0x00000058 push ebp 0x00000059 ret 0x0000005a pop ebp 0x0000005b ret 0x0000005c mov ebx, dword ptr [ebp+1247CC0Bh] 0x00000062 mov eax, dword ptr [ebp+122D0669h] 0x00000068 sub edi, 7072FA17h 0x0000006e push FFFFFFFFh 0x00000070 mov ebx, dword ptr [ebp+12456D42h] 0x00000076 nop 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a jmp 00007F0714AED0A2h 0x0000007f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9254C8 second address: 9254CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9272B8 second address: 9272DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0714AED0A9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9264E4 second address: 9264E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9272DA second address: 9272E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9264E8 second address: 926547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F0714533648h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 push dword ptr fs:[00000000h] 0x00000029 mov ebx, dword ptr [ebp+122D2B35h] 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov ebx, ecx 0x00000038 pushad 0x00000039 mov ecx, dword ptr [ebp+122D295Dh] 0x0000003f mov dl, 36h 0x00000041 popad 0x00000042 mov eax, dword ptr [ebp+122D0711h] 0x00000048 add di, 426Fh 0x0000004d push FFFFFFFFh 0x0000004f mov edi, dword ptr [ebp+122D2995h] 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push ecx 0x00000059 pushad 0x0000005a popad 0x0000005b pop ecx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9272E0 second address: 927336 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 or dword ptr [ebp+12485954h], ebx 0x0000000f and bl, FFFFFF94h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 sub dword ptr [ebp+122D27DFh], edx 0x0000001b pop edi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F0714AED098h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F0714AED0A5h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 928288 second address: 92828C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 927587 second address: 92758C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92925C second address: 929262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 929262 second address: 929268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 929268 second address: 92926C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92A182 second address: 92A18E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92A18E second address: 92A19F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F0714533646h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92A19F second address: 92A1A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92A1A3 second address: 92A1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92B101 second address: 92B105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92B105 second address: 92B158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F0714533648h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 sbb edi, 7EAC6A5Fh 0x00000029 push 00000000h 0x0000002b and bl, FFFFFFB0h 0x0000002e push 00000000h 0x00000030 movsx ebx, di 0x00000033 push ecx 0x00000034 mov dword ptr [ebp+1246BA95h], esi 0x0000003a pop ebx 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F071453364Eh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92B3C0 second address: 92B3D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92B3D9 second address: 92B3DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92B3DE second address: 92B3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92D10F second address: 92D119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92C333 second address: 92C356 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b pushad 0x0000000c jmp 00007F0714AED09Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92DFBC second address: 92DFC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92DFC0 second address: 92DFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F0714AED09Dh 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F0714AED09Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92DFE1 second address: 92DFE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92DFE5 second address: 92DFEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9310C2 second address: 9310C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9310C9 second address: 9310CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9310CF second address: 9310D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9310D3 second address: 931135 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F0714AED098h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D20EEh], eax 0x00000029 je 00007F0714AED09Ch 0x0000002f mov dword ptr [ebp+124572A0h], edx 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+124572D4h], edi 0x0000003d push 00000000h 0x0000003f mov ebx, 0A47F792h 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 pushad 0x00000049 popad 0x0000004a jmp 00007F0714AED0A2h 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 931135 second address: 93113A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93113A second address: 931158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F0714AED0A4h 0x00000010 jmp 00007F0714AED09Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 933757 second address: 933761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 933761 second address: 933765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 933765 second address: 9337E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a clc 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F0714533648h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D28C1h], esi 0x0000002d push 00000000h 0x0000002f pushad 0x00000030 push edx 0x00000031 jnl 00007F0714533646h 0x00000037 pop eax 0x00000038 mov ebx, 4B7F21ADh 0x0000003d popad 0x0000003e xchg eax, esi 0x0000003f pushad 0x00000040 pushad 0x00000041 jmp 00007F0714533656h 0x00000046 push edi 0x00000047 pop edi 0x00000048 popad 0x00000049 jng 00007F0714533648h 0x0000004f popad 0x00000050 push eax 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F0714533650h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9337E5 second address: 9337F3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F0714AED096h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9337F3 second address: 9337F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92E124 second address: 92E128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92E128 second address: 92E12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92E12E second address: 92E133 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92E209 second address: 92E223 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F071453364Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F0714533654h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92F1FE second address: 92F202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9302B4 second address: 93035E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c jmp 00007F0714533653h 0x00000011 nop 0x00000012 adc di, 2007h 0x00000017 push dword ptr fs:[00000000h] 0x0000001e call 00007F0714533655h 0x00000023 mov ebx, 3FC0DF5Eh 0x00000028 pop ebx 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 mov dword ptr [ebp+1245C192h], edi 0x00000036 movzx edi, si 0x00000039 mov eax, dword ptr [ebp+122D06F5h] 0x0000003f push 00000000h 0x00000041 push ebp 0x00000042 call 00007F0714533648h 0x00000047 pop ebp 0x00000048 mov dword ptr [esp+04h], ebp 0x0000004c add dword ptr [esp+04h], 00000018h 0x00000054 inc ebp 0x00000055 push ebp 0x00000056 ret 0x00000057 pop ebp 0x00000058 ret 0x00000059 sbb di, 5D4Ah 0x0000005e push FFFFFFFFh 0x00000060 call 00007F0714533656h 0x00000065 jp 00007F0714533647h 0x0000006b pop ebx 0x0000006c or bh, FFFFFF84h 0x0000006f push eax 0x00000070 push esi 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92F202 second address: 92F274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+122D2B99h] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F0714AED098h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 movsx edi, bx 0x0000003b mov eax, dword ptr [ebp+122D0641h] 0x00000041 mov edi, dword ptr [ebp+122D2A55h] 0x00000047 push FFFFFFFFh 0x00000049 jbe 00007F0714AED099h 0x0000004f mov bx, di 0x00000052 nop 0x00000053 push eax 0x00000054 jns 00007F0714AED09Ch 0x0000005a pop eax 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 jp 00007F0714AED096h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92F274 second address: 92F27A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92D275 second address: 92D279 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92F27A second address: 92F284 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F0714533646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92D279 second address: 92D289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92F284 second address: 92F288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9312EE second address: 9312F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 933928 second address: 93393A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0714533648h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 935B57 second address: 935B5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 935B5B second address: 935B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 935B68 second address: 935BEB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0714AED096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F0714AED098h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 cld 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebp 0x0000002c call 00007F0714AED098h 0x00000031 pop ebp 0x00000032 mov dword ptr [esp+04h], ebp 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc ebp 0x0000003f push ebp 0x00000040 ret 0x00000041 pop ebp 0x00000042 ret 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push edx 0x00000048 call 00007F0714AED098h 0x0000004d pop edx 0x0000004e mov dword ptr [esp+04h], edx 0x00000052 add dword ptr [esp+04h], 00000015h 0x0000005a inc edx 0x0000005b push edx 0x0000005c ret 0x0000005d pop edx 0x0000005e ret 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jc 00007F0714AED0A0h 0x00000068 jmp 00007F0714AED09Ah 0x0000006d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93B40E second address: 93B418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93B418 second address: 93B41C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93F8B7 second address: 93F8BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93F8BB second address: 93F8C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0714AED096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93F8C7 second address: 93F8E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F0714533646h 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F071453364Ah 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93F8E5 second address: 93F904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F0714AED0A1h 0x0000000b popad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 941B9A second address: 941BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 944E08 second address: 944E0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 944E0E second address: 944E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94AF4A second address: 94AF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0714AED096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94B52F second address: 94B542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007F071453364Eh 0x0000000b jnc 00007F0714533646h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94BAC3 second address: 94BAC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94BC01 second address: 94BC05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94BC05 second address: 94BC0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94BC0B second address: 94BC10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94BEE2 second address: 94BEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94C071 second address: 94C07B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0714533646h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94C07B second address: 94C087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94C087 second address: 94C098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F071453364Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94C098 second address: 94C0A9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F0714AED09Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94F7C5 second address: 94F7C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 954C9C second address: 954CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 954E51 second address: 954E55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 955298 second address: 95529E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9553E8 second address: 95542B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jns 00007F0714533646h 0x0000000b jne 00007F0714533646h 0x00000011 jno 00007F0714533646h 0x00000017 jmp 00007F0714533659h 0x0000001c popad 0x0000001d popad 0x0000001e push edx 0x0000001f jnp 00007F071453364Ah 0x00000025 pushad 0x00000026 popad 0x00000027 push edx 0x00000028 pop edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c pop eax 0x0000002d push edx 0x0000002e pop edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95542B second address: 95542F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95542F second address: 955435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 900CEE second address: 900CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 900CF3 second address: 900CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 955E3F second address: 955E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 959D35 second address: 959D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0714533646h 0x0000000a popad 0x0000000b jmp 00007F0714533651h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 959D51 second address: 959D6C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0714AED0A1h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92391D second address: 92396C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F071453364Ch 0x0000000b xchg eax, esi 0x0000000c ja 00007F0714533647h 0x00000012 cld 0x00000013 nop 0x00000014 pushad 0x00000015 jl 00007F071453365Bh 0x0000001b jmp 00007F0714533655h 0x00000020 jc 00007F071453364Ch 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jo 00007F0714533648h 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 923B7B second address: 923B81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 923B81 second address: 923B87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 923B87 second address: 923B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 924114 second address: 92415F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jno 00007F0714533652h 0x0000000f nop 0x00000010 or dword ptr [ebp+122D3426h], edx 0x00000016 push 0000001Eh 0x00000018 add ecx, dword ptr [ebp+12477CCEh] 0x0000001e nop 0x0000001f pushad 0x00000020 push ebx 0x00000021 jnl 00007F0714533646h 0x00000027 pop ebx 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b pop edx 0x0000002c popad 0x0000002d push eax 0x0000002e pushad 0x0000002f jng 00007F071453364Ch 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92415F second address: 924163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 923CE3 second address: 923CFA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jg 00007F0714533646h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9244A4 second address: 9244B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 924565 second address: 92456B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92456B second address: 900CEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F0714AED0A7h 0x00000011 nop 0x00000012 jmp 00007F0714AED09Ah 0x00000017 call dword ptr [ebp+122D3457h] 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 jmp 00007F0714AED0A8h 0x00000025 pop edx 0x00000026 push ebx 0x00000027 jmp 00007F0714AED0A1h 0x0000002c pop ebx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95D957 second address: 95D95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95D95B second address: 95D963 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95DD3D second address: 95DD59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jns 00007F0714533646h 0x00000009 pop edi 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F071453364Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95DD59 second address: 95DD5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95DF25 second address: 95DF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E089 second address: 95E0A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F0714AED0A2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E0A5 second address: 95E0B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0714533646h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E1ED second address: 95E1F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E1F2 second address: 95E1F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E1F8 second address: 95E206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E206 second address: 95E20A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E20A second address: 95E22B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A4h 0x00000007 jo 00007F0714AED096h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E22B second address: 95E236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E236 second address: 95E23C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E23C second address: 95E24E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F0714533646h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9631A8 second address: 9631D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0714AED0A9h 0x0000000f push ebx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9631D7 second address: 9631E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9631E0 second address: 9631E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 963BC0 second address: 963BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 963D79 second address: 963D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 963D7E second address: 963D94 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0714533648h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 963D94 second address: 963DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jp 00007F0714AED098h 0x0000000b jmp 00007F0714AED0A4h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0714AED09Fh 0x00000017 jmp 00007F0714AED0A7h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 964122 second address: 96412B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 96412B second address: 96412F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 965B09 second address: 965B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F0714533646h 0x0000000d jg 00007F0714533646h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 965B1C second address: 965B53 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007F0714AED096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F0714AED0AFh 0x00000012 popad 0x00000013 pushad 0x00000014 jc 00007F0714AED09Eh 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8D499A second address: 8D49A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8D49A4 second address: 8D49A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968E3D second address: 968E5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F071453364Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F0714533652h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968E5A second address: 968E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968E60 second address: 968E8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F071453364Fh 0x0000000c jmp 00007F0714533658h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968E8E second address: 968E9E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007F0714AED096h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968E9E second address: 968EA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968750 second address: 96875D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F0714AED096h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 96888B second address: 96888F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 96888F second address: 968894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968B60 second address: 968B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968B69 second address: 968B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 96EEB7 second address: 96EEC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0714533646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 96EEC1 second address: 96EEEB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0714AED0A6h 0x0000000b js 00007F0714AED0A2h 0x00000011 jc 00007F0714AED096h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 974BAF second address: 974BB5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 974FF0 second address: 974FF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 974FF6 second address: 974FFC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9752AD second address: 9752B2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9752B2 second address: 9752C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 jnl 00007F0714533646h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B7D8 second address: 97B806 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0714AED0A0h 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B806 second address: 97B80C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 979FC8 second address: 979FD8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0714AED096h 0x00000008 jg 00007F0714AED096h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 979FD8 second address: 979FDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A0FD second address: 97A107 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0714AED096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A107 second address: 97A10D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A10D second address: 97A12C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 je 00007F0714AED09Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jl 00007F0714AED0A0h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A2AD second address: 97A2C3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F071453364Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F0714533646h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A2C3 second address: 97A2CD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0714AED096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A2CD second address: 97A2DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F0714533646h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A2DF second address: 97A2E9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0714AED096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A2E9 second address: 97A30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F0714533656h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97AA2E second address: 97AA32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97AA32 second address: 97AA48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F071453364Ch 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97AA48 second address: 97AA66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A8h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97AA66 second address: 97AA6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97AA6B second address: 97AA71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B492 second address: 97B4AF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F0714533651h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B4AF second address: 97B4B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B4B5 second address: 97B4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B4BB second address: 97B4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B4C6 second address: 97B4CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B4CA second address: 97B4E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0714AED0A7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 985521 second address: 98552D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 push ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98552D second address: 985539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 push ebx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E0253 second address: 8E025E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E025E second address: 8E0262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98346D second address: 983473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983473 second address: 98347C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98347C second address: 983487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F0714533646h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983487 second address: 98349E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0714AED09Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98349E second address: 9834A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E0248 second address: 8E0253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push ebx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983749 second address: 98375F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 je 00007F071453364Eh 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983A34 second address: 983A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983A38 second address: 983A3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983A3C second address: 983A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0714AED09Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983A53 second address: 983A5D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983A5D second address: 983A67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0714AED096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983A67 second address: 983A72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983D38 second address: 983D48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983D48 second address: 983D62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714533654h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983D62 second address: 983D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98405C second address: 98407B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0714533652h 0x00000009 popad 0x0000000a pop ecx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98407B second address: 984081 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 984932 second address: 984938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 984938 second address: 984961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0714AED0A8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F0714AED09Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 985239 second address: 985257 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F0714533658h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98A2E6 second address: 98A2F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0714AED096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98A2F0 second address: 98A305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F0714533646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d js 00007F0714533646h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98A305 second address: 98A310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98A310 second address: 98A316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98E340 second address: 98E34A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0714AED096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98E34A second address: 98E34E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D55B second address: 98D567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0714AED09Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D567 second address: 98D56B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D729 second address: 98D735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D97F second address: 98D983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D983 second address: 98D98D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0714AED096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D98D second address: 98D993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D993 second address: 98D999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D999 second address: 98D9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F071453364Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 997B0B second address: 997B3A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0714AED09Eh 0x00000008 jns 00007F0714AED096h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0714AED0A7h 0x00000017 jl 00007F0714AED096h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 995E37 second address: 995E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 995E3D second address: 995E41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 99601E second address: 996036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533654h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 996036 second address: 99603C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 99603C second address: 996040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 996322 second address: 996326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 99684D second address: 996871 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jc 00007F0714533646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007F071453364Fh 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 996871 second address: 996898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F0714AED0B2h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 996898 second address: 9968A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9968A0 second address: 9968A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9968A4 second address: 9968A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 995A55 second address: 995A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 99D5EC second address: 99D60E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 jmp 00007F071453364Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F071453364Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 99D60E second address: 99D614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9AC87F second address: 9AC88A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9AC88A second address: 9AC88E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9AC88E second address: 9AC894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9B0748 second address: 9B074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9B074E second address: 9B0752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9B0752 second address: 9B0797 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F0714AED0A1h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007F0714AED09Bh 0x0000001b js 00007F0714AED09Eh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9B0908 second address: 9B091C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533650h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9B729B second address: 9B729F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9B729F second address: 9B72A9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0714533646h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9BE80D second address: 9BE813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5953 second address: 9C5957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5A99 second address: 9C5AA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5AA7 second address: 9C5AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5AAB second address: 9C5AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5AAF second address: 9C5AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5AB5 second address: 9C5AE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0714AED0A3h 0x00000008 jmp 00007F0714AED0A1h 0x0000000d jl 00007F0714AED096h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5F33 second address: 9C5F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F071453364Bh 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F0714533646h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5F51 second address: 9C5F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5F55 second address: 9C5F6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F0714533650h 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5F6F second address: 9C5F93 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0714AED0AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5F93 second address: 9C5F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C60E6 second address: 9C60EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C88EF second address: 9C88F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0714533646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C8779 second address: 9C877F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C9F3D second address: 9C9F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C9F41 second address: 9C9F79 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0714AED096h 0x00000008 jo 00007F0714AED096h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F0714AED09Dh 0x00000015 pop ecx 0x00000016 push ecx 0x00000017 jmp 00007F0714AED0A1h 0x0000001c push eax 0x0000001d push edx 0x0000001e jl 00007F0714AED096h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9D1B81 second address: 9D1B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9D1B85 second address: 9D1B89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9D1B89 second address: 9D1B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0714533646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9E12F7 second address: 9E130A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jne 00007F0714AED096h 0x00000009 ja 00007F0714AED096h 0x0000000f pop edi 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9E130A second address: 9E1310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9EE807 second address: 9EE815 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0714AED096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F0F9E second address: 9F0FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F0FA2 second address: 9F0FAC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0714AED09Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F3011 second address: 9F301F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jo 00007F0714533646h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F301F second address: 9F302C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F302C second address: 9F3060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0714533654h 0x00000009 jmp 00007F0714533655h 0x0000000e ja 00007F0714533646h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F2BDC second address: 9F2BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F2BE0 second address: 9F2BF9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F071453364Bh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F2BF9 second address: 9F2C11 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0714AED096h 0x00000008 jng 00007F0714AED096h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAA3 second address: A0AAAD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAAD second address: A0AAB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAB1 second address: A0AABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0714533646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AABD second address: A0AAC2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAC2 second address: A0AAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAC8 second address: A0AAE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0714AED0A3h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAE8 second address: A0AAEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAEC second address: A0AB10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F0714AED09Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AB10 second address: A0AB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AB14 second address: A0AB20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0714AED096h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AB20 second address: A0AB24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AB24 second address: A0AB2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0B364 second address: A0B390 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533659h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F071453364Bh 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0B390 second address: A0B398 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0B398 second address: A0B3DE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jc 00007F0714533646h 0x00000009 pop edx 0x0000000a pushad 0x0000000b jmp 00007F0714533656h 0x00000010 jmp 00007F0714533659h 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0B517 second address: A0B51B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0E231 second address: A0E254 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0714533653h 0x00000008 jmp 00007F071453364Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jbe 00007F0714533650h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0E520 second address: A0E534 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0714AED096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jbe 00007F0714AED09Eh 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0E534 second address: A0E554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 mov dh, bl 0x00000008 push 00000004h 0x0000000a mov dl, cl 0x0000000c sbb dx, C0A9h 0x00000011 push E712A2DAh 0x00000016 push ecx 0x00000017 pushad 0x00000018 jc 00007F0714533646h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A11995 second address: A1199A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A1199A second address: A119B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F071453364Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A119B1 second address: A119D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0714AED0A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A119D2 second address: A119EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533650h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A119EE second address: A119F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A11503 second address: A1150B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A1150B second address: A11511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A11511 second address: A11522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F071453364Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A11522 second address: A1152F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A1358C second address: A135AF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0714533659h 0x00000008 jns 00007F071453364Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110006 second address: 511000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 511000C second address: 5110028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov edx, esi 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0714533651h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110028 second address: 511002E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 511002E second address: 5110032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110032 second address: 5110081 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F0714AED0A4h 0x0000000f push esi 0x00000010 movsx edx, si 0x00000013 pop ecx 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F0714AED0A9h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0714AED09Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110081 second address: 5110086 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110086 second address: 51100B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0714AED09Dh 0x0000000a xor cl, 00000056h 0x0000000d jmp 00007F0714AED0A1h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov di, si 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0DA6 second address: 50D0E0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0714533657h 0x00000008 pushfd 0x00000009 jmp 00007F0714533658h 0x0000000e or cx, 2918h 0x00000013 jmp 00007F071453364Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d jmp 00007F0714533656h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0E0B second address: 50D0E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0E0F second address: 50D0E15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090B4E second address: 5090B8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F0714AED0A5h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007F0714AED0A3h 0x00000017 pop ecx 0x00000018 mov edx, 75C3B06Ch 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090B8A second address: 5090B90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090B90 second address: 5090BB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0714AED09Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090BB1 second address: 5090BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090BB5 second address: 5090BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090BBB second address: 5090BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F071453364Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090BCC second address: 5090C00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F0714AED09Dh 0x0000000f push dword ptr [ebp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F0714AED0A3h 0x0000001a movzx ecx, bx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C00 second address: 5090C67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0714533650h 0x00000009 adc ah, FFFFFFA8h 0x0000000c jmp 00007F071453364Bh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F0714533658h 0x00000018 xor ax, 0008h 0x0000001d jmp 00007F071453364Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 push dword ptr [ebp+0Ch] 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F0714533650h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C67 second address: 5090C76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C76 second address: 5090C7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C7C second address: 5090C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C80 second address: 5090C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C84 second address: 5090C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov dx, si 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C97 second address: 5090C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C9C second address: 5090CAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED09Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090CAE second address: 5090CB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090CE1 second address: 5090CE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090CE7 second address: 5090CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0B4A second address: 50D0B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0B50 second address: 50D0B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0B54 second address: 50D0B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0B58 second address: 50D0B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F071453364Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0B73 second address: 50D0B82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0B82 second address: 50D0BBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533659h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d mov ax, 1243h 0x00000011 mov ecx, 01CC8F9Fh 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F071453364Ch 0x00000022 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0BBF second address: 50D0BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0BC3 second address: 50D0BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0B73 second address: 50C0B82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0B82 second address: 50C0B88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0B88 second address: 50C0B8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0B8C second address: 50C0B90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0B90 second address: 50C0BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F0714AED09Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0714AED0A7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0BC1 second address: 50C0BC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 51108F1 second address: 5110909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED0A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110909 second address: 511090D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 511090D second address: 511095F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov cx, bx 0x0000000d call 00007F0714AED0A9h 0x00000012 pushfd 0x00000013 jmp 00007F0714AED0A0h 0x00000018 xor cx, 9C68h 0x0000001d jmp 00007F0714AED09Bh 0x00000022 popfd 0x00000023 pop esi 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 511095F second address: 5110963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110963 second address: 5110967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110967 second address: 511096D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 511096D second address: 5110973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 51107DB second address: 5110811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0714533653h 0x0000000a or cl, FFFFFFEEh 0x0000000d jmp 00007F0714533659h 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110811 second address: 5110817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C30 second address: 50D0C35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C35 second address: 50D0C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, cx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov cx, CB17h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C47 second address: 50D0C5A instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov di, si 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C5A second address: 50D0C60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C60 second address: 50D0C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C66 second address: 50D0C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C6A second address: 50D0C6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C6E second address: 50D0C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c movzx ecx, dx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110D3C second address: 5110D46 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110D46 second address: 5110D56 instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov eax, edx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110D56 second address: 5110D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110D5C second address: 5110D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110D60 second address: 5110D99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, 5A8F7934h 0x00000012 pushfd 0x00000013 jmp 00007F071453364Dh 0x00000018 sbb ecx, 1F1420F6h 0x0000001e jmp 00007F0714533651h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110D99 second address: 5110DC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F0714AED09Eh 0x00000011 and dword ptr [eax], 00000000h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110DC7 second address: 5110DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0A9C second address: 50C0AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0AA0 second address: 50C0AB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533651h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0AB5 second address: 50C0AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop edi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 51100EB second address: 51101AB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F0714533657h 0x0000000c add cl, FFFFFF9Eh 0x0000000f jmp 00007F0714533659h 0x00000014 popfd 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 call 00007F071453364Ch 0x0000001d jmp 00007F0714533652h 0x00000022 pop esi 0x00000023 pushfd 0x00000024 jmp 00007F071453364Bh 0x00000029 jmp 00007F0714533653h 0x0000002e popfd 0x0000002f popad 0x00000030 push eax 0x00000031 jmp 00007F0714533659h 0x00000036 xchg eax, ebp 0x00000037 pushad 0x00000038 pushad 0x00000039 mov esi, 67BBFCE9h 0x0000003e mov edx, ecx 0x00000040 popad 0x00000041 movzx ecx, dx 0x00000044 popad 0x00000045 mov ebp, esp 0x00000047 pushad 0x00000048 mov edi, 26A47E1Eh 0x0000004d mov edx, 5A965E2Ah 0x00000052 popad 0x00000053 pop ebp 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 mov bh, al 0x00000059 mov bx, A5DAh 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 51101AB second address: 51101B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110B7E second address: 5110B84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110B84 second address: 5110B89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110B89 second address: 5110BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0714533650h 0x0000000a add cl, 00000038h 0x0000000d jmp 00007F071453364Bh 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push edx 0x0000001b pop esi 0x0000001c mov cx, bx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50F0DE3 second address: 50F0E0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0714AED09Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50F0E0F second address: 50F0E4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F071453364Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0714533656h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F0714533650h 0x00000016 mov eax, dword ptr [ebp+08h] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c mov al, 5Ah 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50F0E4F second address: 50F0E95 instructions: 0x00000000 rdtsc 0x00000002 mov eax, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dl, E3h 0x00000008 popad 0x00000009 and dword ptr [eax], 00000000h 0x0000000c pushad 0x0000000d call 00007F0714AED09Ah 0x00000012 jmp 00007F0714AED0A2h 0x00000017 pop eax 0x00000018 call 00007F0714AED09Bh 0x0000001d push ecx 0x0000001e pop edx 0x0000001f pop ecx 0x00000020 popad 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 movzx ecx, di 0x00000028 mov edx, 06B28CBCh 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50F0E95 second address: 50F0E9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0A7E second address: 50E0A84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0A84 second address: 50E0A88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0A88 second address: 50E0A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0A99 second address: 50E0A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0A9D second address: 50E0AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0AA1 second address: 50E0AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0AA7 second address: 50E0AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0AAD second address: 50E0AB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0AB1 second address: 50E0ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax], 00000000h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e call 00007F0714AED09Ah 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A00D4 second address: 50A00FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533650h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c call 00007F071453364Dh 0x00000011 pop eax 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 mov al, 87h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A00FE second address: 50A0119 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0714AED0A1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0119 second address: 50A0155 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0714533657h 0x00000009 sub ax, 621Eh 0x0000000e jmp 00007F0714533659h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0155 second address: 50A0179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F0714AED09Ch 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0714AED09Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0179 second address: 50A017F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A017F second address: 50A01F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 jmp 00007F0714AED0A9h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and esp, FFFFFFF8h 0x00000011 jmp 00007F0714AED09Eh 0x00000016 xchg eax, ecx 0x00000017 jmp 00007F0714AED0A0h 0x0000001c push eax 0x0000001d jmp 00007F0714AED09Bh 0x00000022 xchg eax, ecx 0x00000023 jmp 00007F0714AED0A6h 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F0714AED09Ah 0x00000032 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A01F5 second address: 50A01F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A01F9 second address: 50A01FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A01FF second address: 50A0205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0205 second address: 50A0209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0209 second address: 50A021A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ah, D5h 0x0000000e mov ch, dh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A021A second address: 50A0230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED0A2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0230 second address: 50A0270 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F071453364Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0714533650h 0x00000013 sub eax, 3888F588h 0x00000019 jmp 00007F071453364Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebx, dword ptr [ebp+10h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0270 second address: 50A0274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0274 second address: 50A027A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A027A second address: 50A0297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED0A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0297 second address: 50A02F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F071453364Ah 0x0000000e mov dword ptr [esp], esi 0x00000011 pushad 0x00000012 movzx ecx, dx 0x00000015 movsx edi, ax 0x00000018 popad 0x00000019 mov esi, dword ptr [ebp+08h] 0x0000001c pushad 0x0000001d movzx ecx, dx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushfd 0x00000023 jmp 00007F0714533653h 0x00000028 or si, 8D3Eh 0x0000002d jmp 00007F0714533659h 0x00000032 popfd 0x00000033 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A02F1 second address: 50A033F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0714AED0A0h 0x00000008 xor ecx, 1BDDDA38h 0x0000000e jmp 00007F0714AED09Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov bh, 7Ah 0x0000001d pushfd 0x0000001e jmp 00007F0714AED09Ch 0x00000023 sbb ecx, 6212D498h 0x00000029 jmp 00007F0714AED09Bh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A033F second address: 50A0352 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bh 0x00000005 mov ax, 8447h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0352 second address: 50A0356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0356 second address: 50A036C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533652h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A036C second address: 50A0398 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 pushfd 0x00000007 jmp 00007F0714AED09Ah 0x0000000c or cx, D958h 0x00000011 jmp 00007F0714AED09Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, edi 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e mov dx, ax 0x00000021 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0398 second address: 50A03DE instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F071453364Eh 0x00000008 and ecx, 54DDE3B8h 0x0000000e jmp 00007F071453364Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 test esi, esi 0x00000019 pushad 0x0000001a mov di, cx 0x0000001d pushad 0x0000001e movzx ecx, dx 0x00000021 popad 0x00000022 popad 0x00000023 je 00007F0786631891h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F071453364Ch 0x00000030 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A03DE second address: 50A03E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A03E3 second address: 50A0424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000e jmp 00007F0714533658h 0x00000013 je 00007F0786631868h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c call 00007F071453364Dh 0x00000021 pop ecx 0x00000022 movsx edx, si 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0424 second address: 50A04B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0714AED0A9h 0x00000009 add si, 1276h 0x0000000e jmp 00007F0714AED0A1h 0x00000013 popfd 0x00000014 jmp 00007F0714AED0A0h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov edx, dword ptr [esi+44h] 0x0000001f jmp 00007F0714AED0A0h 0x00000024 or edx, dword ptr [ebp+0Ch] 0x00000027 jmp 00007F0714AED0A0h 0x0000002c test edx, 61000000h 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F0714AED0A7h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A04B0 second address: 50A052D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533659h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F0786631801h 0x0000000f jmp 00007F071453364Eh 0x00000014 test byte ptr [esi+48h], 00000001h 0x00000018 jmp 00007F0714533650h 0x0000001d jne 00007F07866317F2h 0x00000023 jmp 00007F0714533650h 0x00000028 test bl, 00000007h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push edi 0x0000002f pop eax 0x00000030 jmp 00007F0714533659h 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D000B second address: 50D00AE instructions: 0x00000000 rdtsc 0x00000002 call 00007F0714AED09Fh 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push edx 0x0000000c jmp 00007F0714AED0A4h 0x00000011 mov dword ptr [esp], ebp 0x00000014 pushad 0x00000015 mov ecx, 6BCFE23Dh 0x0000001a pushfd 0x0000001b jmp 00007F0714AED09Ah 0x00000020 jmp 00007F0714AED0A5h 0x00000025 popfd 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 jmp 00007F0714AED09Eh 0x0000002e and esp, FFFFFFF8h 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F0714AED09Eh 0x00000038 adc si, 39A8h 0x0000003d jmp 00007F0714AED09Bh 0x00000042 popfd 0x00000043 call 00007F0714AED0A8h 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D00AE second address: 50D00FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushfd 0x00000009 jmp 00007F071453364Ah 0x0000000e sub ecx, 56E12738h 0x00000014 jmp 00007F071453364Bh 0x00000019 popfd 0x0000001a mov dx, cx 0x0000001d popad 0x0000001e mov dword ptr [esp], ebx 0x00000021 jmp 00007F0714533652h 0x00000026 xchg eax, esi 0x00000027 pushad 0x00000028 jmp 00007F071453364Eh 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D00FF second address: 50D0117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx ecx, bx 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, 192CCBF8h 0x00000012 mov edi, 135EAFA4h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0117 second address: 50D0134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714533659h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0134 second address: 50D0186 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007F0714AED09Dh 0x0000000e mov esi, dword ptr [ebp+08h] 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F0714AED09Ch 0x00000018 sbb ecx, 620B30B8h 0x0000001e jmp 00007F0714AED09Bh 0x00000023 popfd 0x00000024 push eax 0x00000025 push edx 0x00000026 call 00007F0714AED0A6h 0x0000002b pop eax 0x0000002c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0186 second address: 50D01D5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F071453364Bh 0x00000008 adc cx, 972Eh 0x0000000d jmp 00007F0714533659h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 sub ebx, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0714533659h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D01D5 second address: 50D01DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D01DB second address: 50D020B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F071453364Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F0714533650h 0x00000010 je 00007F07865F97D7h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push ebx 0x0000001c pop ecx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D020B second address: 50D0239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0714AED0A2h 0x00000009 jmp 00007F0714AED0A5h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\BakvzfVilG.exe	Special instruction interceptor: First address: 760546 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 130546 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Code function: 1_2_0512021A rdtsc

1_2_0512021A

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Thread delayed: delay time: 180000

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 540			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 7531			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8164	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8164	Thread sleep time: -106053s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8168	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8168	Thread sleep time: -96048s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8144	Thread sleep count: 540 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8144	Thread sleep time: -16200000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8160	Thread sleep count: 58 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8160	Thread sleep time: -116058s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3548	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8156	Thread sleep count: 7531 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8156	Thread sleep time: -15069531s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: rapes.exe, rapes.exe, 0000000B.00000002.2460448321.00000000002C2000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: rapes.exe, 0000000B.00000002.2462059724.0000000001489000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2462059724.0000000001459000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BakvzfVilG.exe, 00000001.00000003.1272642549.000000000130F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}U
Source: BakvzfVilG.exe, 00000001.00000002.1310511631.00000000008F2000.00000040.00000001.01000000.00000006.sdmp, rapes.exe, 00000005.00000002.1342789198.00000000002C2000.00000040.00000001.01000000.00000009.sdmp, rapes.exe, 00000007.00000002.1346903085.00000000002C2000.00000040.00000001.01000000.00000009.sdmp, rapes.exe, 0000000B.00000002.2460448321.00000000002C2000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: rapes.exe, 0000000B.00000002.2462059724.0000000001489000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWor

Source: C:\Users\user\Desktop\BakvzfVilG.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\BakvzfVilG.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\BakvzfVilG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Code function: 1_2_0512021A rdtsc

1_2_0512021A

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000EDB60 mov eax, dword ptr fs:[00000030h]		11_2_000EDB60
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000F5FF2 mov eax, dword ptr fs:[00000030h]		11_2_000F5FF2

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"

Jump to behavior

Source: rapes.exe, rapes.exe, 0000000B.00000002.2460448321.00000000002C2000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: g9hProgram Manager
Source: BakvzfVilG.exe, 00000001.00000002.1310511631.00000000008F2000.00000040.00000001.01000000.00000006.sdmp, rapes.exe, 00000005.00000002.1342789198.00000000002C2000.00000040.00000001.01000000.00000009.sdmp, rapes.exe, 00000007.00000002.1346903085.00000000002C2000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: o g9hProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 11_2_000E9AB5 cpuid

11_2_000E9AB5

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 11_2_000E93A7 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

11_2_000E93A7

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 11_2_000C61F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegEnumValueA,DeleteObject,DeleteObject,DeleteObject,LookupAccountNameA,

11_2_000C61F0

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1300118568.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1346772088.00000000000C1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1306345455.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1817827669.0000000005250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1341558629.00000000000C1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2460152541.00000000000C1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1310394274.00000000006F1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY

Remote Access Functionality

Contains functionality to start a terminal service

Source: BakvzfVilG.exe	String found in binary or memory: net start termservice
Source: BakvzfVilG.exe, 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: BakvzfVilG.exe, 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: BakvzfVilG.exe, 00000001.00000002.1310394274.00000000006F1000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: net start termservice
Source: BakvzfVilG.exe, 00000001.00000002.1310394274.00000000006F1000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000005.00000003.1300118568.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000005.00000003.1300118568.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000005.00000002.1341558629.00000000000C1000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000005.00000002.1341558629.00000000000C1000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000007.00000002.1346772088.00000000000C1000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000007.00000002.1346772088.00000000000C1000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000007.00000003.1306345455.0000000004B20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000007.00000003.1306345455.0000000004B20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000003.1817827669.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000003.1817827669.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000B.00000002.2460152541.00000000000C1000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000002.2460152541.00000000000C1000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.113.115.6	unknown	Russian Federation		49505	SELECTELRU	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BakvzfVilG.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: BakvzfVilG.exe	Virustotal: Detection: 60%			Perma Link
Source: BakvzfVilG.exe	ReversingLabs: Detection: 63%

Sample uses string decryption to hide its real strings

Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 176.113.115.6
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Ni9kiput/index.php
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bb556cff4a
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapes.exe
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: http://
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: https://
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ------
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: random
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Keyboard Layout\Preload
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000419
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000422
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 00000423
Source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0000043f

Uses 32bit PE files

Source: BakvzfVilG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 176.113.115.6

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 176.113.115.6 176.113.115.6
Source: Joe Sandbox View	IP Address: 176.113.115.6 176.113.115.6

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SELECTELRU SELECTELRU

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.6:49699 -> 176.113.115.6:80

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 11_2_000D2710 recv,recv,recv,recv,

11_2_000D2710

Source: rapes.exe, 0000000B.00000002.2462059724.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6
Source: rapes.exe, 0000000B.00000002.2462059724.0000000001459000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2462059724.0000000001470000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2462059724.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php
Source: rapes.exe, 0000000B.00000002.2462059724.0000000001470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpK

System Summary

PE file contains section with special chars

Source: BakvzfVilG.exe	Static PE information: section name:
Source: BakvzfVilG.exe	Static PE information: section name: .idata
Source: BakvzfVilG.exe	Static PE information: section name:
Source: rapes.exe.1.dr	Static PE information: section name:
Source: rapes.exe.1.dr	Static PE information: section name: .idata
Source: rapes.exe.1.dr	Static PE information: section name:

Creates files inside the system directory

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9	7_1_002B06B9
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B2ABD	7_1_002B2ABD
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_001BDABD	7_1_001BDABD
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_00258695	7_1_00258695
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002A6E92	7_1_002A6E92
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0029E290	7_1_0029E290
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_001328D3	7_1_001328D3
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002AECE7	7_1_002AECE7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002A32F1	7_1_002A32F1
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002A4ED9	7_1_002A4ED9
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_00182D1A	7_1_00182D1A
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002AD125	7_1_002AD125
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002A1939	7_1_002A1939
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0014E93E	7_1_0014E93E
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0029FD47	7_1_0029FD47
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0025C9AA	7_1_0025C9AA
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0020D985	7_1_0020D985
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_00217FC7	7_1_00217FC7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0029ADC4	7_1_0029ADC4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0029C7D7	7_1_0029C7D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_001F6DE0	7_1_001F6DE0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000C61F0	11_2_000C61F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000CB700	11_2_000CB700
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000F2C20	11_2_000F2C20
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000CCC40	11_2_000CCC40
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00104047	11_2_00104047
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000C5450	11_2_000C5450
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00105CD4	11_2_00105CD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_001018D7	11_2_001018D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000EB4C0	11_2_000EB4C0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000C51A0	11_2_000C51A0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_00105DF4	11_2_00105DF4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000FC6DD	11_2_000FC6DD
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000EF6DB	11_2_000EF6DB
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000C4EF0	11_2_000C4EF0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000D7320	11_2_000D7320

Uses 32bit PE files

Source: BakvzfVilG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: BakvzfVilG.exe	Static PE information: Section: ZLIB complexity 0.9984880767906336
Source: BakvzfVilG.exe	Static PE information: Section: uwpmtuor ZLIB complexity 0.9947662175466745
Source: rapes.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9984880767906336
Source: rapes.exe.1.dr	Static PE information: Section: uwpmtuor ZLIB complexity 0.9947662175466745

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@0/1

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File created: C:\Users\user\AppData\Local\Temp\bb556cff4a

Jump to behavior

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BakvzfVilG.exe	Virustotal: Detection: 60%
Source: BakvzfVilG.exe	ReversingLabs: Detection: 63%

Source: BakvzfVilG.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: BakvzfVilG.exe	String found in binary or memory: " /add
Source: BakvzfVilG.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File read: C:\Users\user\Desktop\BakvzfVilG.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BakvzfVilG.exe "C:\Users\user\Desktop\BakvzfVilG.exe"
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: BakvzfVilG.exe

Static file information: File size 1957376 > 1048576

Source: BakvzfVilG.exe

Static PE information: Raw size of uwpmtuor is bigger than: 0x100000 < 0x1ac800

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\BakvzfVilG.exe	Unpacked PE file: 1.2.BakvzfVilG.exe.6f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 5.2.rapes.exe.c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 7.2.rapes.exe.c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 11.2.rapes.exe.c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;uwpmtuor:EW;gmcyadkd:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: rapes.exe.1.dr	Static PE information: real checksum: 0x1e87d0 should be: 0x1e3e95
Source: BakvzfVilG.exe	Static PE information: real checksum: 0x1e87d0 should be: 0x1e3e95

PE file contains sections with non-standard names

Source: BakvzfVilG.exe	Static PE information: section name:
Source: BakvzfVilG.exe	Static PE information: section name: .idata
Source: BakvzfVilG.exe	Static PE information: section name:
Source: BakvzfVilG.exe	Static PE information: section name: uwpmtuor
Source: BakvzfVilG.exe	Static PE information: section name: gmcyadkd
Source: BakvzfVilG.exe	Static PE information: section name: .taggant
Source: rapes.exe.1.dr	Static PE information: section name:
Source: rapes.exe.1.dr	Static PE information: section name: .idata
Source: rapes.exe.1.dr	Static PE information: section name:
Source: rapes.exe.1.dr	Static PE information: section name: uwpmtuor
Source: rapes.exe.1.dr	Static PE information: section name: gmcyadkd
Source: rapes.exe.1.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_0013305C push ebx; mov dword ptr [esp], ebp	7_1_0013386D
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_00168E53 push edx; mov dword ptr [esp], esi	7_1_00168EB7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_00133256 push es; iretd	7_1_0013325C
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_001AE660 push ebx; mov dword ptr [esp], ecx	7_1_001AE6B7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_001AE660 push edi; mov dword ptr [esp], eax	7_1_001AE6C3
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_001AE660 push 78820BECh; mov dword ptr [esp], ebx	7_1_001AE76A
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 430F6AA4h; mov dword ptr [esp], edx	7_1_002B0756
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push edi; mov dword ptr [esp], edx	7_1_002B07CC
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push esi; mov dword ptr [esp], ebx	7_1_002B0814
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 4E51E949h; mov dword ptr [esp], edi	7_1_002B0907
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 5C895FA7h; mov dword ptr [esp], eax	7_1_002B0929
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push edx; mov dword ptr [esp], eax	7_1_002B094D
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 27258900h; mov dword ptr [esp], ecx	7_1_002B09A4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 3F364B17h; mov dword ptr [esp], ecx	7_1_002B0A33
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push ebx; mov dword ptr [esp], esp	7_1_002B0A3A
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 6ED87777h; mov dword ptr [esp], edx	7_1_002B0A42
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push edx; mov dword ptr [esp], ebp	7_1_002B0A7C
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push eax; mov dword ptr [esp], 6B743C37h	7_1_002B0B46
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push edi; mov dword ptr [esp], eax	7_1_002B0B7F
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 512C546Eh; mov dword ptr [esp], esi	7_1_002B0BD3
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 18D7BFF5h; mov dword ptr [esp], edx	7_1_002B0C3B
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push ebp; mov dword ptr [esp], edx	7_1_002B0CF5
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 48AFA766h; mov dword ptr [esp], ecx	7_1_002B0D71
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push edi; mov dword ptr [esp], ebp	7_1_002B0DBE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push edx; mov dword ptr [esp], ecx	7_1_002B0E11
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 225A862Ah; mov dword ptr [esp], ecx	7_1_002B0E2C
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push eax; mov dword ptr [esp], 573A68A6h	7_1_002B0E46
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 2E7D3D3Fh; mov dword ptr [esp], edi	7_1_002B0E91
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 1E764E22h; mov dword ptr [esp], ecx	7_1_002B0E99
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 358A7646h; mov dword ptr [esp], ebx	7_1_002B0EF6
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 7_1_002B06B9 push 5C31EEE1h; mov dword ptr [esp], esi	7_1_002B0F13

Source: BakvzfVilG.exe	Static PE information: section name: entropy: 7.980062958503209
Source: BakvzfVilG.exe	Static PE information: section name: uwpmtuor entropy: 7.9540224982484675
Source: rapes.exe.1.dr	Static PE information: section name: entropy: 7.980062958503209
Source: rapes.exe.1.dr	Static PE information: section name: uwpmtuor entropy: 7.9540224982484675

Drops PE files

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\BakvzfVilG.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E9F17 second address: 8E9F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E9F1B second address: 8E9F25 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0714538B96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E9F25 second address: 8E9F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E8EEC second address: 8E8EF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E8EF0 second address: 8E8F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jp 00007F0714AED256h 0x00000011 jl 00007F0714AED256h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E8F08 second address: 8E8F0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E8F0D second address: 8E8F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E91BA second address: 8E91F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0714538BA7h 0x0000000b jmp 00007F0714538BA9h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E94C0 second address: 8E94D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F0714AED261h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E94D6 second address: 8E94DB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB1D6 second address: 8EB1E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0714AED256h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB24F second address: 8EB2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jmp 00007F0714538BA6h 0x0000000b pop eax 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 jnp 00007F0714538B9Ch 0x00000016 add edx, dword ptr [ebp+122D1A21h] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F0714538B98h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 pushad 0x00000039 cld 0x0000003a jl 00007F0714538B99h 0x00000040 movsx eax, ax 0x00000043 popad 0x00000044 call 00007F0714538BA7h 0x00000049 mov edx, dword ptr [ebp+122D2C41h] 0x0000004f pop edx 0x00000050 call 00007F0714538B99h 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB2D8 second address: 8EB2FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jo 00007F0714533646h 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 jbe 00007F071453365Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F071453364Ch 0x0000001d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB2FC second address: 8EB300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB300 second address: 8EB327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jno 00007F0714533648h 0x00000011 jnp 00007F071453364Ch 0x00000017 jc 00007F0714533646h 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB327 second address: 8EB335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F0714AED096h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB335 second address: 8EB3E8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jmp 00007F0714533655h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b popad 0x0000001c pop eax 0x0000001d mov dword ptr [ebp+122D19C9h], edi 0x00000023 push 00000003h 0x00000025 or edi, dword ptr [ebp+122D2B41h] 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e mov ecx, dword ptr [ebp+122D2B5Dh] 0x00000034 pop edi 0x00000035 push 00000003h 0x00000037 mov dword ptr [ebp+122D1803h], ecx 0x0000003d push A27C89EDh 0x00000042 jns 00007F0714533659h 0x00000048 xor dword ptr [esp], 627C89EDh 0x0000004f mov dword ptr [ebp+122D1AC9h], eax 0x00000055 lea ebx, dword ptr [ebp+1245C130h] 0x0000005b mov edi, dword ptr [ebp+122D2ACDh] 0x00000061 jmp 00007F0714533658h 0x00000066 xchg eax, ebx 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007F0714533654h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB3E8 second address: 8EB41A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F0714AED0AAh 0x00000012 jmp 00007F0714AED0A4h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB483 second address: 8EB4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F0714533648h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D312Ch], edi 0x0000002b push 00000000h 0x0000002d jmp 00007F0714533658h 0x00000032 call 00007F0714533649h 0x00000037 push ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB4E0 second address: 8EB4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB4E4 second address: 8EB4FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0714533651h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB4FF second address: 8EB509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0714AED096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB509 second address: 8EB5F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jg 00007F071453364Ah 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007F0714533651h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e jp 00007F0714533648h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 jmp 00007F0714533658h 0x0000002b popad 0x0000002c pop eax 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007F0714533648h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000016h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 push 00000003h 0x00000049 jmp 00007F071453364Ah 0x0000004e push 00000000h 0x00000050 stc 0x00000051 push 00000003h 0x00000053 jmp 00007F0714533658h 0x00000058 mov ecx, dword ptr [ebp+122D2C51h] 0x0000005e call 00007F0714533649h 0x00000063 jnl 00007F0714533669h 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c pushad 0x0000006d push ecx 0x0000006e pop ecx 0x0000006f jmp 00007F0714533652h 0x00000074 popad 0x00000075 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB5F1 second address: 8EB609 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F0714AED096h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB609 second address: 8EB60D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB60D second address: 8EB613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB613 second address: 8EB618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB751 second address: 8EB790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 jbe 00007F0714AED0A2h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jp 00007F0714AED0ACh 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB8B1 second address: 8EB8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0714533646h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8EB8BC second address: 8EB8C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F0714AED096h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8FDB69 second address: 8FDB6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8FDB6E second address: 8FDB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90B491 second address: 90B4CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F071453364Ah 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0714533651h 0x00000014 je 00007F071453365Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90B64E second address: 90B653 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90B653 second address: 90B659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90B659 second address: 90B687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0714AED0A7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F0714AED0C1h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 jns 00007F0714AED096h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90B92E second address: 90B934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90BEC6 second address: 90BED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED09Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90BED8 second address: 90BEF5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F0714533648h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007F0714533652h 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90C199 second address: 90C19D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90C19D second address: 90C1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90C1AB second address: 90C1AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90C2E1 second address: 90C2E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90015D second address: 900163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 900163 second address: 900168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8CC2F2 second address: 8CC2F7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8CC2F7 second address: 8CC2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90CB13 second address: 90CB1D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0714AED09Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90CF41 second address: 90CF58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F071453364Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 90CF58 second address: 90CF86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A6h 0x00000007 jmp 00007F0714AED0A4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8DB196 second address: 8DB1A0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8DB1A0 second address: 8DB1A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8DB1A4 second address: 8DB1AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 911DB5 second address: 911DB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 911DB9 second address: 911DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 911DC3 second address: 911DD4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jbe 00007F0714AED09Eh 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91202E second address: 912037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 912037 second address: 91203B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91203B second address: 912061 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F071453364Ch 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 push edi 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 jbe 00007F0714533646h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 913E71 second address: 913E82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8D7E84 second address: 8D7E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8D7E8C second address: 8D7EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pushad 0x0000000b push edx 0x0000000c jmp 00007F0714AED0A7h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91A323 second address: 91A328 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91996F second address: 919975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91B804 second address: 91B8B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F0714533657h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push esi 0x0000000f push ecx 0x00000010 jmp 00007F0714533657h 0x00000015 pop ecx 0x00000016 pop esi 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b ja 00007F0714533657h 0x00000021 mov eax, dword ptr [eax] 0x00000023 jnc 00007F0714533660h 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d jmp 00007F0714533652h 0x00000032 pop eax 0x00000033 jmp 00007F0714533651h 0x00000038 call 00007F0714533649h 0x0000003d push eax 0x0000003e push edx 0x0000003f jng 00007F0714533648h 0x00000045 push edx 0x00000046 pop edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91B8B7 second address: 91B8BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91B8BD second address: 91B920 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533651h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F071453364Fh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jno 00007F0714533665h 0x0000001b mov eax, dword ptr [eax] 0x0000001d pushad 0x0000001e jng 00007F0714533648h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 js 00007F0714533646h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91B920 second address: 91B93A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0714AED096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jo 00007F0714AED0A0h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91BD81 second address: 91BD85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91BD85 second address: 91BD89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91BD89 second address: 91BD8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91C56B second address: 91C57D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xchg eax, ebx 0x00000007 mov dword ptr [ebp+122D1AB0h], eax 0x0000000d nop 0x0000000e push edi 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91C57D second address: 91C59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F0714533650h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91C7BB second address: 91C7C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91C891 second address: 91C896 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91CADD second address: 91CB00 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0714AED09Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jnl 00007F0714AED097h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 jo 00007F0714AED096h 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91D8CB second address: 91D8DC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0714533648h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91D737 second address: 91D749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED09Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91E9A0 second address: 91EA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jnc 00007F071453364Bh 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F0714533648h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b jmp 00007F0714533650h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007F0714533648h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000017h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c xchg eax, ebx 0x0000004d push eax 0x0000004e push edx 0x0000004f ja 00007F0714533648h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91EA0F second address: 91EA2D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0714AED0A3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91EA2D second address: 91EA33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91EA33 second address: 91EA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91F465 second address: 91F4A2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0714533655h 0x00000008 jmp 00007F071453364Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 sub dword ptr [ebp+1245CA18h], esi 0x00000018 push 00000000h 0x0000001a or si, 3772h 0x0000001f push 00000000h 0x00000021 cld 0x00000022 sub edi, 4B6DBD13h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push ecx 0x0000002c jng 00007F0714533646h 0x00000032 pop ecx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91FE8E second address: 91FEA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED09Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 91FEA0 second address: 91FF06 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f or dword ptr [ebp+122D56B2h], esi 0x00000015 push 00000000h 0x00000017 pushad 0x00000018 call 00007F0714533652h 0x0000001d cld 0x0000001e pop eax 0x0000001f mov ax, di 0x00000022 popad 0x00000023 mov dword ptr [ebp+122D1BB4h], eax 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F0714533648h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 mov edi, dword ptr [ebp+122D17F0h] 0x0000004b push eax 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9215EA second address: 9215F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9215F0 second address: 9215F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 924CE2 second address: 924CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9262C0 second address: 9262C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 925419 second address: 9254C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0714AED09Ah 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F0714AED0A2h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F0714AED098h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e push dword ptr fs:[00000000h] 0x00000035 add dword ptr [ebp+12457254h], edx 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 push 00000000h 0x00000044 push ebp 0x00000045 call 00007F0714AED098h 0x0000004a pop ebp 0x0000004b mov dword ptr [esp+04h], ebp 0x0000004f add dword ptr [esp+04h], 00000018h 0x00000057 inc ebp 0x00000058 push ebp 0x00000059 ret 0x0000005a pop ebp 0x0000005b ret 0x0000005c mov ebx, dword ptr [ebp+1247CC0Bh] 0x00000062 mov eax, dword ptr [ebp+122D0669h] 0x00000068 sub edi, 7072FA17h 0x0000006e push FFFFFFFFh 0x00000070 mov ebx, dword ptr [ebp+12456D42h] 0x00000076 nop 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a jmp 00007F0714AED0A2h 0x0000007f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9254C8 second address: 9254CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9272B8 second address: 9272DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0714AED0A9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9264E4 second address: 9264E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9272DA second address: 9272E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9264E8 second address: 926547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F0714533648h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 push dword ptr fs:[00000000h] 0x00000029 mov ebx, dword ptr [ebp+122D2B35h] 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov ebx, ecx 0x00000038 pushad 0x00000039 mov ecx, dword ptr [ebp+122D295Dh] 0x0000003f mov dl, 36h 0x00000041 popad 0x00000042 mov eax, dword ptr [ebp+122D0711h] 0x00000048 add di, 426Fh 0x0000004d push FFFFFFFFh 0x0000004f mov edi, dword ptr [ebp+122D2995h] 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push ecx 0x00000059 pushad 0x0000005a popad 0x0000005b pop ecx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9272E0 second address: 927336 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 or dword ptr [ebp+12485954h], ebx 0x0000000f and bl, FFFFFF94h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 sub dword ptr [ebp+122D27DFh], edx 0x0000001b pop edi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F0714AED098h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F0714AED0A5h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 928288 second address: 92828C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 927587 second address: 92758C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92925C second address: 929262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 929262 second address: 929268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 929268 second address: 92926C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92A182 second address: 92A18E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92A18E second address: 92A19F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F0714533646h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92A19F second address: 92A1A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92A1A3 second address: 92A1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92B101 second address: 92B105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92B105 second address: 92B158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F0714533648h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 sbb edi, 7EAC6A5Fh 0x00000029 push 00000000h 0x0000002b and bl, FFFFFFB0h 0x0000002e push 00000000h 0x00000030 movsx ebx, di 0x00000033 push ecx 0x00000034 mov dword ptr [ebp+1246BA95h], esi 0x0000003a pop ebx 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F071453364Eh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92B3C0 second address: 92B3D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92B3D9 second address: 92B3DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92B3DE second address: 92B3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92D10F second address: 92D119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92C333 second address: 92C356 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b pushad 0x0000000c jmp 00007F0714AED09Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92DFBC second address: 92DFC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92DFC0 second address: 92DFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F0714AED09Dh 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F0714AED09Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92DFE1 second address: 92DFE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92DFE5 second address: 92DFEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9310C2 second address: 9310C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9310C9 second address: 9310CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9310CF second address: 9310D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9310D3 second address: 931135 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F0714AED098h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D20EEh], eax 0x00000029 je 00007F0714AED09Ch 0x0000002f mov dword ptr [ebp+124572A0h], edx 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+124572D4h], edi 0x0000003d push 00000000h 0x0000003f mov ebx, 0A47F792h 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 pushad 0x00000049 popad 0x0000004a jmp 00007F0714AED0A2h 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 931135 second address: 93113A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93113A second address: 931158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F0714AED0A4h 0x00000010 jmp 00007F0714AED09Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 933757 second address: 933761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 933761 second address: 933765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 933765 second address: 9337E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a clc 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F0714533648h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D28C1h], esi 0x0000002d push 00000000h 0x0000002f pushad 0x00000030 push edx 0x00000031 jnl 00007F0714533646h 0x00000037 pop eax 0x00000038 mov ebx, 4B7F21ADh 0x0000003d popad 0x0000003e xchg eax, esi 0x0000003f pushad 0x00000040 pushad 0x00000041 jmp 00007F0714533656h 0x00000046 push edi 0x00000047 pop edi 0x00000048 popad 0x00000049 jng 00007F0714533648h 0x0000004f popad 0x00000050 push eax 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F0714533650h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9337E5 second address: 9337F3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F0714AED096h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9337F3 second address: 9337F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92E124 second address: 92E128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92E128 second address: 92E12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92E12E second address: 92E133 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92E209 second address: 92E223 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F071453364Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F0714533654h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92F1FE second address: 92F202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9302B4 second address: 93035E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c jmp 00007F0714533653h 0x00000011 nop 0x00000012 adc di, 2007h 0x00000017 push dword ptr fs:[00000000h] 0x0000001e call 00007F0714533655h 0x00000023 mov ebx, 3FC0DF5Eh 0x00000028 pop ebx 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 mov dword ptr [ebp+1245C192h], edi 0x00000036 movzx edi, si 0x00000039 mov eax, dword ptr [ebp+122D06F5h] 0x0000003f push 00000000h 0x00000041 push ebp 0x00000042 call 00007F0714533648h 0x00000047 pop ebp 0x00000048 mov dword ptr [esp+04h], ebp 0x0000004c add dword ptr [esp+04h], 00000018h 0x00000054 inc ebp 0x00000055 push ebp 0x00000056 ret 0x00000057 pop ebp 0x00000058 ret 0x00000059 sbb di, 5D4Ah 0x0000005e push FFFFFFFFh 0x00000060 call 00007F0714533656h 0x00000065 jp 00007F0714533647h 0x0000006b pop ebx 0x0000006c or bh, FFFFFF84h 0x0000006f push eax 0x00000070 push esi 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92F202 second address: 92F274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+122D2B99h] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F0714AED098h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 movsx edi, bx 0x0000003b mov eax, dword ptr [ebp+122D0641h] 0x00000041 mov edi, dword ptr [ebp+122D2A55h] 0x00000047 push FFFFFFFFh 0x00000049 jbe 00007F0714AED099h 0x0000004f mov bx, di 0x00000052 nop 0x00000053 push eax 0x00000054 jns 00007F0714AED09Ch 0x0000005a pop eax 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 jp 00007F0714AED096h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92F274 second address: 92F27A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92D275 second address: 92D279 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92F27A second address: 92F284 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F0714533646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92D279 second address: 92D289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92F284 second address: 92F288 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9312EE second address: 9312F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 933928 second address: 93393A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0714533648h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 935B57 second address: 935B5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 935B5B second address: 935B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 935B68 second address: 935BEB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0714AED096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F0714AED098h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 cld 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebp 0x0000002c call 00007F0714AED098h 0x00000031 pop ebp 0x00000032 mov dword ptr [esp+04h], ebp 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc ebp 0x0000003f push ebp 0x00000040 ret 0x00000041 pop ebp 0x00000042 ret 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push edx 0x00000048 call 00007F0714AED098h 0x0000004d pop edx 0x0000004e mov dword ptr [esp+04h], edx 0x00000052 add dword ptr [esp+04h], 00000015h 0x0000005a inc edx 0x0000005b push edx 0x0000005c ret 0x0000005d pop edx 0x0000005e ret 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jc 00007F0714AED0A0h 0x00000068 jmp 00007F0714AED09Ah 0x0000006d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93B40E second address: 93B418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93B418 second address: 93B41C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93F8B7 second address: 93F8BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93F8BB second address: 93F8C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0714AED096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93F8C7 second address: 93F8E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F0714533646h 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F071453364Ah 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 93F8E5 second address: 93F904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F0714AED0A1h 0x0000000b popad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 941B9A second address: 941BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 944E08 second address: 944E0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 944E0E second address: 944E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94AF4A second address: 94AF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0714AED096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94B52F second address: 94B542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007F071453364Eh 0x0000000b jnc 00007F0714533646h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94BAC3 second address: 94BAC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94BC01 second address: 94BC05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94BC05 second address: 94BC0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94BC0B second address: 94BC10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94BEE2 second address: 94BEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94C071 second address: 94C07B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0714533646h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94C07B second address: 94C087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94C087 second address: 94C098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F071453364Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94C098 second address: 94C0A9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F0714AED09Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 94F7C5 second address: 94F7C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 954C9C second address: 954CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 954E51 second address: 954E55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 955298 second address: 95529E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9553E8 second address: 95542B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jns 00007F0714533646h 0x0000000b jne 00007F0714533646h 0x00000011 jno 00007F0714533646h 0x00000017 jmp 00007F0714533659h 0x0000001c popad 0x0000001d popad 0x0000001e push edx 0x0000001f jnp 00007F071453364Ah 0x00000025 pushad 0x00000026 popad 0x00000027 push edx 0x00000028 pop edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c pop eax 0x0000002d push edx 0x0000002e pop edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95542B second address: 95542F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95542F second address: 955435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 900CEE second address: 900CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 900CF3 second address: 900CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 955E3F second address: 955E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 959D35 second address: 959D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0714533646h 0x0000000a popad 0x0000000b jmp 00007F0714533651h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 959D51 second address: 959D6C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0714AED0A1h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92391D second address: 92396C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F071453364Ch 0x0000000b xchg eax, esi 0x0000000c ja 00007F0714533647h 0x00000012 cld 0x00000013 nop 0x00000014 pushad 0x00000015 jl 00007F071453365Bh 0x0000001b jmp 00007F0714533655h 0x00000020 jc 00007F071453364Ch 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jo 00007F0714533648h 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 923B7B second address: 923B81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 923B81 second address: 923B87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 923B87 second address: 923B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 924114 second address: 92415F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jno 00007F0714533652h 0x0000000f nop 0x00000010 or dword ptr [ebp+122D3426h], edx 0x00000016 push 0000001Eh 0x00000018 add ecx, dword ptr [ebp+12477CCEh] 0x0000001e nop 0x0000001f pushad 0x00000020 push ebx 0x00000021 jnl 00007F0714533646h 0x00000027 pop ebx 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b pop edx 0x0000002c popad 0x0000002d push eax 0x0000002e pushad 0x0000002f jng 00007F071453364Ch 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92415F second address: 924163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 923CE3 second address: 923CFA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jg 00007F0714533646h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9244A4 second address: 9244B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 924565 second address: 92456B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 92456B second address: 900CEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F0714AED0A7h 0x00000011 nop 0x00000012 jmp 00007F0714AED09Ah 0x00000017 call dword ptr [ebp+122D3457h] 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 jmp 00007F0714AED0A8h 0x00000025 pop edx 0x00000026 push ebx 0x00000027 jmp 00007F0714AED0A1h 0x0000002c pop ebx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95D957 second address: 95D95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95D95B second address: 95D963 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95DD3D second address: 95DD59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jns 00007F0714533646h 0x00000009 pop edi 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F071453364Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95DD59 second address: 95DD5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95DF25 second address: 95DF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E089 second address: 95E0A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F0714AED0A2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E0A5 second address: 95E0B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0714533646h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E1ED second address: 95E1F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E1F2 second address: 95E1F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E1F8 second address: 95E206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E206 second address: 95E20A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E20A second address: 95E22B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A4h 0x00000007 jo 00007F0714AED096h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E22B second address: 95E236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E236 second address: 95E23C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 95E23C second address: 95E24E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F0714533646h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9631A8 second address: 9631D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0714AED0A9h 0x0000000f push ebx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9631D7 second address: 9631E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9631E0 second address: 9631E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 963BC0 second address: 963BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 963D79 second address: 963D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 963D7E second address: 963D94 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0714533648h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 963D94 second address: 963DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jp 00007F0714AED098h 0x0000000b jmp 00007F0714AED0A4h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0714AED09Fh 0x00000017 jmp 00007F0714AED0A7h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 964122 second address: 96412B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 96412B second address: 96412F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 965B09 second address: 965B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F0714533646h 0x0000000d jg 00007F0714533646h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 965B1C second address: 965B53 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007F0714AED096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F0714AED0AFh 0x00000012 popad 0x00000013 pushad 0x00000014 jc 00007F0714AED09Eh 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8D499A second address: 8D49A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8D49A4 second address: 8D49A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968E3D second address: 968E5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F071453364Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F0714533652h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968E5A second address: 968E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968E60 second address: 968E8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F071453364Fh 0x0000000c jmp 00007F0714533658h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968E8E second address: 968E9E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007F0714AED096h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968E9E second address: 968EA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968750 second address: 96875D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F0714AED096h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 96888B second address: 96888F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 96888F second address: 968894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968B60 second address: 968B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 968B69 second address: 968B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 96EEB7 second address: 96EEC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0714533646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 96EEC1 second address: 96EEEB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0714AED0A6h 0x0000000b js 00007F0714AED0A2h 0x00000011 jc 00007F0714AED096h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 974BAF second address: 974BB5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 974FF0 second address: 974FF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 974FF6 second address: 974FFC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9752AD second address: 9752B2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9752B2 second address: 9752C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 jnl 00007F0714533646h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B7D8 second address: 97B806 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0714AED0A0h 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B806 second address: 97B80C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 979FC8 second address: 979FD8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0714AED096h 0x00000008 jg 00007F0714AED096h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 979FD8 second address: 979FDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A0FD second address: 97A107 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0714AED096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A107 second address: 97A10D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A10D second address: 97A12C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 je 00007F0714AED09Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jl 00007F0714AED0A0h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A2AD second address: 97A2C3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F071453364Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F0714533646h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A2C3 second address: 97A2CD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0714AED096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A2CD second address: 97A2DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F0714533646h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A2DF second address: 97A2E9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0714AED096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97A2E9 second address: 97A30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F0714533656h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97AA2E second address: 97AA32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97AA32 second address: 97AA48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F071453364Ch 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97AA48 second address: 97AA66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A8h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97AA66 second address: 97AA6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97AA6B second address: 97AA71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B492 second address: 97B4AF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F0714533651h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B4AF second address: 97B4B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B4B5 second address: 97B4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B4BB second address: 97B4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B4C6 second address: 97B4CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 97B4CA second address: 97B4E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0714AED0A7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 985521 second address: 98552D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 push ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98552D second address: 985539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 push ebx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E0253 second address: 8E025E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E025E second address: 8E0262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98346D second address: 983473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983473 second address: 98347C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98347C second address: 983487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F0714533646h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983487 second address: 98349E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0714AED09Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98349E second address: 9834A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 8E0248 second address: 8E0253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push ebx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983749 second address: 98375F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 je 00007F071453364Eh 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983A34 second address: 983A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983A38 second address: 983A3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983A3C second address: 983A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0714AED09Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983A53 second address: 983A5D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983A5D second address: 983A67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0714AED096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983A67 second address: 983A72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983D38 second address: 983D48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983D48 second address: 983D62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714533654h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 983D62 second address: 983D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98405C second address: 98407B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0714533652h 0x00000009 popad 0x0000000a pop ecx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98407B second address: 984081 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 984932 second address: 984938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 984938 second address: 984961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0714AED0A8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F0714AED09Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 985239 second address: 985257 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F0714533658h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98A2E6 second address: 98A2F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0714AED096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98A2F0 second address: 98A305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F0714533646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d js 00007F0714533646h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98A305 second address: 98A310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98A310 second address: 98A316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98E340 second address: 98E34A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0714AED096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98E34A second address: 98E34E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D55B second address: 98D567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0714AED09Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D567 second address: 98D56B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D729 second address: 98D735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D97F second address: 98D983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D983 second address: 98D98D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0714AED096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D98D second address: 98D993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D993 second address: 98D999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 98D999 second address: 98D9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F071453364Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 997B0B second address: 997B3A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0714AED09Eh 0x00000008 jns 00007F0714AED096h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0714AED0A7h 0x00000017 jl 00007F0714AED096h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 995E37 second address: 995E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 995E3D second address: 995E41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 99601E second address: 996036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533654h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 996036 second address: 99603C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 99603C second address: 996040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 996322 second address: 996326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 99684D second address: 996871 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jc 00007F0714533646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007F071453364Fh 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 996871 second address: 996898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F0714AED0B2h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 996898 second address: 9968A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9968A0 second address: 9968A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9968A4 second address: 9968A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 995A55 second address: 995A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 99D5EC second address: 99D60E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 jmp 00007F071453364Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F071453364Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 99D60E second address: 99D614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9AC87F second address: 9AC88A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9AC88A second address: 9AC88E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9AC88E second address: 9AC894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9B0748 second address: 9B074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9B074E second address: 9B0752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9B0752 second address: 9B0797 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F0714AED0A1h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007F0714AED09Bh 0x0000001b js 00007F0714AED09Eh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9B0908 second address: 9B091C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533650h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9B729B second address: 9B729F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9B729F second address: 9B72A9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0714533646h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9BE80D second address: 9BE813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5953 second address: 9C5957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5A99 second address: 9C5AA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5AA7 second address: 9C5AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5AAB second address: 9C5AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5AAF second address: 9C5AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5AB5 second address: 9C5AE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0714AED0A3h 0x00000008 jmp 00007F0714AED0A1h 0x0000000d jl 00007F0714AED096h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5F33 second address: 9C5F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F071453364Bh 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F0714533646h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5F51 second address: 9C5F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5F55 second address: 9C5F6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F0714533650h 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5F6F second address: 9C5F93 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0714AED0AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C5F93 second address: 9C5F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C60E6 second address: 9C60EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C88EF second address: 9C88F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0714533646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C8779 second address: 9C877F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C9F3D second address: 9C9F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9C9F41 second address: 9C9F79 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0714AED096h 0x00000008 jo 00007F0714AED096h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F0714AED09Dh 0x00000015 pop ecx 0x00000016 push ecx 0x00000017 jmp 00007F0714AED0A1h 0x0000001c push eax 0x0000001d push edx 0x0000001e jl 00007F0714AED096h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9D1B81 second address: 9D1B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9D1B85 second address: 9D1B89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9D1B89 second address: 9D1B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0714533646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9E12F7 second address: 9E130A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jne 00007F0714AED096h 0x00000009 ja 00007F0714AED096h 0x0000000f pop edi 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9E130A second address: 9E1310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9EE807 second address: 9EE815 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0714AED096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F0F9E second address: 9F0FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F0FA2 second address: 9F0FAC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0714AED09Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F3011 second address: 9F301F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jo 00007F0714533646h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F301F second address: 9F302C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F302C second address: 9F3060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0714533654h 0x00000009 jmp 00007F0714533655h 0x0000000e ja 00007F0714533646h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F2BDC second address: 9F2BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F2BE0 second address: 9F2BF9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0714533646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F071453364Bh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 9F2BF9 second address: 9F2C11 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0714AED096h 0x00000008 jng 00007F0714AED096h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAA3 second address: A0AAAD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAAD second address: A0AAB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAB1 second address: A0AABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0714533646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AABD second address: A0AAC2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAC2 second address: A0AAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAC8 second address: A0AAE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0714AED0A3h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAE8 second address: A0AAEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AAEC second address: A0AB10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F0714AED09Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AB10 second address: A0AB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AB14 second address: A0AB20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0714AED096h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AB20 second address: A0AB24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0AB24 second address: A0AB2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0B364 second address: A0B390 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533659h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F071453364Bh 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0B390 second address: A0B398 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0B398 second address: A0B3DE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jc 00007F0714533646h 0x00000009 pop edx 0x0000000a pushad 0x0000000b jmp 00007F0714533656h 0x00000010 jmp 00007F0714533659h 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0B517 second address: A0B51B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0E231 second address: A0E254 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0714533653h 0x00000008 jmp 00007F071453364Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jbe 00007F0714533650h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0E520 second address: A0E534 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0714AED096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jbe 00007F0714AED09Eh 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A0E534 second address: A0E554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 mov dh, bl 0x00000008 push 00000004h 0x0000000a mov dl, cl 0x0000000c sbb dx, C0A9h 0x00000011 push E712A2DAh 0x00000016 push ecx 0x00000017 pushad 0x00000018 jc 00007F0714533646h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A11995 second address: A1199A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A1199A second address: A119B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F071453364Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A119B1 second address: A119D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0714AED0A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A119D2 second address: A119EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533650h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A119EE second address: A119F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A11503 second address: A1150B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A1150B second address: A11511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A11511 second address: A11522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F071453364Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A11522 second address: A1152F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: A1358C second address: A135AF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0714533659h 0x00000008 jns 00007F071453364Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110006 second address: 511000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 511000C second address: 5110028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov edx, esi 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0714533651h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110028 second address: 511002E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 511002E second address: 5110032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110032 second address: 5110081 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F0714AED0A4h 0x0000000f push esi 0x00000010 movsx edx, si 0x00000013 pop ecx 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F0714AED0A9h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0714AED09Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110081 second address: 5110086 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110086 second address: 51100B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0714AED09Dh 0x0000000a xor cl, 00000056h 0x0000000d jmp 00007F0714AED0A1h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov di, si 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0DA6 second address: 50D0E0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0714533657h 0x00000008 pushfd 0x00000009 jmp 00007F0714533658h 0x0000000e or cx, 2918h 0x00000013 jmp 00007F071453364Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d jmp 00007F0714533656h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0E0B second address: 50D0E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0E0F second address: 50D0E15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090B4E second address: 5090B8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F0714AED0A5h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007F0714AED0A3h 0x00000017 pop ecx 0x00000018 mov edx, 75C3B06Ch 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090B8A second address: 5090B90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090B90 second address: 5090BB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0714AED09Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090BB1 second address: 5090BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090BB5 second address: 5090BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090BBB second address: 5090BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F071453364Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090BCC second address: 5090C00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F0714AED09Dh 0x0000000f push dword ptr [ebp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F0714AED0A3h 0x0000001a movzx ecx, bx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C00 second address: 5090C67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0714533650h 0x00000009 adc ah, FFFFFFA8h 0x0000000c jmp 00007F071453364Bh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F0714533658h 0x00000018 xor ax, 0008h 0x0000001d jmp 00007F071453364Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 push dword ptr [ebp+0Ch] 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F0714533650h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C67 second address: 5090C76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C76 second address: 5090C7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C7C second address: 5090C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C80 second address: 5090C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C84 second address: 5090C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov dx, si 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C97 second address: 5090C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090C9C second address: 5090CAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED09Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090CAE second address: 5090CB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090CE1 second address: 5090CE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5090CE7 second address: 5090CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0B4A second address: 50D0B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0B50 second address: 50D0B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0B54 second address: 50D0B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0B58 second address: 50D0B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F071453364Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0B73 second address: 50D0B82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0B82 second address: 50D0BBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533659h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d mov ax, 1243h 0x00000011 mov ecx, 01CC8F9Fh 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F071453364Ch 0x00000022 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0BBF second address: 50D0BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0BC3 second address: 50D0BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0B73 second address: 50C0B82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED09Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0B82 second address: 50C0B88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0B88 second address: 50C0B8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0B8C second address: 50C0B90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0B90 second address: 50C0BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F0714AED09Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0714AED0A7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0BC1 second address: 50C0BC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 51108F1 second address: 5110909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED0A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110909 second address: 511090D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 511090D second address: 511095F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov cx, bx 0x0000000d call 00007F0714AED0A9h 0x00000012 pushfd 0x00000013 jmp 00007F0714AED0A0h 0x00000018 xor cx, 9C68h 0x0000001d jmp 00007F0714AED09Bh 0x00000022 popfd 0x00000023 pop esi 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 511095F second address: 5110963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110963 second address: 5110967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110967 second address: 511096D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 511096D second address: 5110973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 51107DB second address: 5110811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0714533653h 0x0000000a or cl, FFFFFFEEh 0x0000000d jmp 00007F0714533659h 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110811 second address: 5110817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C30 second address: 50D0C35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C35 second address: 50D0C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, cx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov cx, CB17h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C47 second address: 50D0C5A instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov di, si 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C5A second address: 50D0C60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C60 second address: 50D0C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C66 second address: 50D0C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C6A second address: 50D0C6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0C6E second address: 50D0C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c movzx ecx, dx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110D3C second address: 5110D46 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110D46 second address: 5110D56 instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov eax, edx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110D56 second address: 5110D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110D5C second address: 5110D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110D60 second address: 5110D99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, 5A8F7934h 0x00000012 pushfd 0x00000013 jmp 00007F071453364Dh 0x00000018 sbb ecx, 1F1420F6h 0x0000001e jmp 00007F0714533651h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110D99 second address: 5110DC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F0714AED09Eh 0x00000011 and dword ptr [eax], 00000000h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110DC7 second address: 5110DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0A9C second address: 50C0AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0AA0 second address: 50C0AB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533651h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50C0AB5 second address: 50C0AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop edi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 51100EB second address: 51101AB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F0714533657h 0x0000000c add cl, FFFFFF9Eh 0x0000000f jmp 00007F0714533659h 0x00000014 popfd 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 call 00007F071453364Ch 0x0000001d jmp 00007F0714533652h 0x00000022 pop esi 0x00000023 pushfd 0x00000024 jmp 00007F071453364Bh 0x00000029 jmp 00007F0714533653h 0x0000002e popfd 0x0000002f popad 0x00000030 push eax 0x00000031 jmp 00007F0714533659h 0x00000036 xchg eax, ebp 0x00000037 pushad 0x00000038 pushad 0x00000039 mov esi, 67BBFCE9h 0x0000003e mov edx, ecx 0x00000040 popad 0x00000041 movzx ecx, dx 0x00000044 popad 0x00000045 mov ebp, esp 0x00000047 pushad 0x00000048 mov edi, 26A47E1Eh 0x0000004d mov edx, 5A965E2Ah 0x00000052 popad 0x00000053 pop ebp 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 mov bh, al 0x00000059 mov bx, A5DAh 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 51101AB second address: 51101B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110B7E second address: 5110B84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110B84 second address: 5110B89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 5110B89 second address: 5110BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0714533650h 0x0000000a add cl, 00000038h 0x0000000d jmp 00007F071453364Bh 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push edx 0x0000001b pop esi 0x0000001c mov cx, bx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50F0DE3 second address: 50F0E0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714AED0A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0714AED09Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50F0E0F second address: 50F0E4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F071453364Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0714533656h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F0714533650h 0x00000016 mov eax, dword ptr [ebp+08h] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c mov al, 5Ah 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50F0E4F second address: 50F0E95 instructions: 0x00000000 rdtsc 0x00000002 mov eax, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dl, E3h 0x00000008 popad 0x00000009 and dword ptr [eax], 00000000h 0x0000000c pushad 0x0000000d call 00007F0714AED09Ah 0x00000012 jmp 00007F0714AED0A2h 0x00000017 pop eax 0x00000018 call 00007F0714AED09Bh 0x0000001d push ecx 0x0000001e pop edx 0x0000001f pop ecx 0x00000020 popad 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 movzx ecx, di 0x00000028 mov edx, 06B28CBCh 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50F0E95 second address: 50F0E9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0A7E second address: 50E0A84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0A84 second address: 50E0A88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0A88 second address: 50E0A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0A99 second address: 50E0A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0A9D second address: 50E0AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0AA1 second address: 50E0AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0AA7 second address: 50E0AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0AAD second address: 50E0AB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50E0AB1 second address: 50E0ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax], 00000000h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e call 00007F0714AED09Ah 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A00D4 second address: 50A00FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533650h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c call 00007F071453364Dh 0x00000011 pop eax 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 mov al, 87h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A00FE second address: 50A0119 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0714AED0A1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0119 second address: 50A0155 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0714533657h 0x00000009 sub ax, 621Eh 0x0000000e jmp 00007F0714533659h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0155 second address: 50A0179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F0714AED09Ch 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0714AED09Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0179 second address: 50A017F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A017F second address: 50A01F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 jmp 00007F0714AED0A9h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and esp, FFFFFFF8h 0x00000011 jmp 00007F0714AED09Eh 0x00000016 xchg eax, ecx 0x00000017 jmp 00007F0714AED0A0h 0x0000001c push eax 0x0000001d jmp 00007F0714AED09Bh 0x00000022 xchg eax, ecx 0x00000023 jmp 00007F0714AED0A6h 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F0714AED09Ah 0x00000032 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A01F5 second address: 50A01F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A01F9 second address: 50A01FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A01FF second address: 50A0205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0205 second address: 50A0209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0209 second address: 50A021A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ah, D5h 0x0000000e mov ch, dh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A021A second address: 50A0230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED0A2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0230 second address: 50A0270 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F071453364Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0714533650h 0x00000013 sub eax, 3888F588h 0x00000019 jmp 00007F071453364Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebx, dword ptr [ebp+10h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0270 second address: 50A0274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0274 second address: 50A027A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A027A second address: 50A0297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714AED0A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0297 second address: 50A02F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F071453364Ah 0x0000000e mov dword ptr [esp], esi 0x00000011 pushad 0x00000012 movzx ecx, dx 0x00000015 movsx edi, ax 0x00000018 popad 0x00000019 mov esi, dword ptr [ebp+08h] 0x0000001c pushad 0x0000001d movzx ecx, dx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushfd 0x00000023 jmp 00007F0714533653h 0x00000028 or si, 8D3Eh 0x0000002d jmp 00007F0714533659h 0x00000032 popfd 0x00000033 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A02F1 second address: 50A033F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0714AED0A0h 0x00000008 xor ecx, 1BDDDA38h 0x0000000e jmp 00007F0714AED09Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov bh, 7Ah 0x0000001d pushfd 0x0000001e jmp 00007F0714AED09Ch 0x00000023 sbb ecx, 6212D498h 0x00000029 jmp 00007F0714AED09Bh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A033F second address: 50A0352 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bh 0x00000005 mov ax, 8447h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0352 second address: 50A0356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0356 second address: 50A036C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533652h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A036C second address: 50A0398 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 pushfd 0x00000007 jmp 00007F0714AED09Ah 0x0000000c or cx, D958h 0x00000011 jmp 00007F0714AED09Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, edi 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e mov dx, ax 0x00000021 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0398 second address: 50A03DE instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F071453364Eh 0x00000008 and ecx, 54DDE3B8h 0x0000000e jmp 00007F071453364Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 test esi, esi 0x00000019 pushad 0x0000001a mov di, cx 0x0000001d pushad 0x0000001e movzx ecx, dx 0x00000021 popad 0x00000022 popad 0x00000023 je 00007F0786631891h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F071453364Ch 0x00000030 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A03DE second address: 50A03E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A03E3 second address: 50A0424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000e jmp 00007F0714533658h 0x00000013 je 00007F0786631868h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c call 00007F071453364Dh 0x00000021 pop ecx 0x00000022 movsx edx, si 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A0424 second address: 50A04B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0714AED0A9h 0x00000009 add si, 1276h 0x0000000e jmp 00007F0714AED0A1h 0x00000013 popfd 0x00000014 jmp 00007F0714AED0A0h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov edx, dword ptr [esi+44h] 0x0000001f jmp 00007F0714AED0A0h 0x00000024 or edx, dword ptr [ebp+0Ch] 0x00000027 jmp 00007F0714AED0A0h 0x0000002c test edx, 61000000h 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F0714AED0A7h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50A04B0 second address: 50A052D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0714533659h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F0786631801h 0x0000000f jmp 00007F071453364Eh 0x00000014 test byte ptr [esi+48h], 00000001h 0x00000018 jmp 00007F0714533650h 0x0000001d jne 00007F07866317F2h 0x00000023 jmp 00007F0714533650h 0x00000028 test bl, 00000007h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push edi 0x0000002f pop eax 0x00000030 jmp 00007F0714533659h 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D000B second address: 50D00AE instructions: 0x00000000 rdtsc 0x00000002 call 00007F0714AED09Fh 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push edx 0x0000000c jmp 00007F0714AED0A4h 0x00000011 mov dword ptr [esp], ebp 0x00000014 pushad 0x00000015 mov ecx, 6BCFE23Dh 0x0000001a pushfd 0x0000001b jmp 00007F0714AED09Ah 0x00000020 jmp 00007F0714AED0A5h 0x00000025 popfd 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 jmp 00007F0714AED09Eh 0x0000002e and esp, FFFFFFF8h 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F0714AED09Eh 0x00000038 adc si, 39A8h 0x0000003d jmp 00007F0714AED09Bh 0x00000042 popfd 0x00000043 call 00007F0714AED0A8h 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D00AE second address: 50D00FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushfd 0x00000009 jmp 00007F071453364Ah 0x0000000e sub ecx, 56E12738h 0x00000014 jmp 00007F071453364Bh 0x00000019 popfd 0x0000001a mov dx, cx 0x0000001d popad 0x0000001e mov dword ptr [esp], ebx 0x00000021 jmp 00007F0714533652h 0x00000026 xchg eax, esi 0x00000027 pushad 0x00000028 jmp 00007F071453364Eh 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D00FF second address: 50D0117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx ecx, bx 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, 192CCBF8h 0x00000012 mov edi, 135EAFA4h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0117 second address: 50D0134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0714533659h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0134 second address: 50D0186 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007F0714AED09Dh 0x0000000e mov esi, dword ptr [ebp+08h] 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F0714AED09Ch 0x00000018 sbb ecx, 620B30B8h 0x0000001e jmp 00007F0714AED09Bh 0x00000023 popfd 0x00000024 push eax 0x00000025 push edx 0x00000026 call 00007F0714AED0A6h 0x0000002b pop eax 0x0000002c rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D0186 second address: 50D01D5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F071453364Bh 0x00000008 adc cx, 972Eh 0x0000000d jmp 00007F0714533659h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 sub ebx, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0714533659h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D01D5 second address: 50D01DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D01DB second address: 50D020B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F071453364Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F0714533650h 0x00000010 je 00007F07865F97D7h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push ebx 0x0000001c pop ecx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\BakvzfVilG.exe	RDTSC instruction interceptor: First address: 50D020B second address: 50D0239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0714AED0A2h 0x00000009 jmp 00007F0714AED0A5h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\BakvzfVilG.exe	Special instruction interceptor: First address: 760546 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 130546 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Code function: 1_2_0512021A rdtsc

1_2_0512021A

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Thread delayed: delay time: 180000

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 540			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 7531			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8164	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8164	Thread sleep time: -106053s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8168	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8168	Thread sleep time: -96048s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8144	Thread sleep count: 540 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8144	Thread sleep time: -16200000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8160	Thread sleep count: 58 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8160	Thread sleep time: -116058s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3548	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8156	Thread sleep count: 7531 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8156	Thread sleep time: -15069531s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BakvzfVilG.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: rapes.exe, rapes.exe, 0000000B.00000002.2460448321.00000000002C2000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: rapes.exe, 0000000B.00000002.2462059724.0000000001489000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2462059724.0000000001459000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BakvzfVilG.exe, 00000001.00000003.1272642549.000000000130F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}U
Source: BakvzfVilG.exe, 00000001.00000002.1310511631.00000000008F2000.00000040.00000001.01000000.00000006.sdmp, rapes.exe, 00000005.00000002.1342789198.00000000002C2000.00000040.00000001.01000000.00000009.sdmp, rapes.exe, 00000007.00000002.1346903085.00000000002C2000.00000040.00000001.01000000.00000009.sdmp, rapes.exe, 0000000B.00000002.2460448321.00000000002C2000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: rapes.exe, 0000000B.00000002.2462059724.0000000001489000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWor

Source: C:\Users\user\Desktop\BakvzfVilG.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\BakvzfVilG.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\BakvzfVilG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BakvzfVilG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Code function: 1_2_0512021A rdtsc

1_2_0512021A

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000EDB60 mov eax, dword ptr fs:[00000030h]		11_2_000EDB60
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 11_2_000F5FF2 mov eax, dword ptr fs:[00000030h]		11_2_000F5FF2

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\BakvzfVilG.exe

Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"

Jump to behavior

Source: rapes.exe, rapes.exe, 0000000B.00000002.2460448321.00000000002C2000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: g9hProgram Manager
Source: BakvzfVilG.exe, 00000001.00000002.1310511631.00000000008F2000.00000040.00000001.01000000.00000006.sdmp, rapes.exe, 00000005.00000002.1342789198.00000000002C2000.00000040.00000001.01000000.00000009.sdmp, rapes.exe, 00000007.00000002.1346903085.00000000002C2000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: o g9hProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 11_2_000E9AB5 cpuid

11_2_000E9AB5

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 11_2_000E93A7 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

11_2_000E93A7

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 11_2_000C61F0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegEnumValueA,DeleteObject,DeleteObject,DeleteObject,LookupAccountNameA,

11_2_000C61F0

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1300118568.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1346772088.00000000000C1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1306345455.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1817827669.0000000005250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1341558629.00000000000C1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2460152541.00000000000C1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1310394274.00000000006F1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY

Remote Access Functionality

Contains functionality to start a terminal service

Source: BakvzfVilG.exe	String found in binary or memory: net start termservice
Source: BakvzfVilG.exe, 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: BakvzfVilG.exe, 00000001.00000003.1223636159.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: BakvzfVilG.exe, 00000001.00000002.1310394274.00000000006F1000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: net start termservice
Source: BakvzfVilG.exe, 00000001.00000002.1310394274.00000000006F1000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000005.00000003.1300118568.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000005.00000003.1300118568.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000005.00000002.1341558629.00000000000C1000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000005.00000002.1341558629.00000000000C1000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000007.00000002.1346772088.00000000000C1000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000007.00000002.1346772088.00000000000C1000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000007.00000003.1306345455.0000000004B20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000007.00000003.1306345455.0000000004B20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000003.1817827669.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000003.1817827669.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000B.00000002.2460152541.00000000000C1000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000002.2460152541.00000000000C1000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

ID:	1648799
Product:	CloudBasic
Start time:	08:17:07
Start date:	26.03.2025
Sample:	BakvzfVilG.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	05c8f3700c6327871c199be6417c5c9c
SHA1:	8f4862310762601e271ac27535382d5c7ed740e7
SHA256:	18cd20dd8567ce6137508f9dece0571f32741ddaa15d8884ad090a4dce7bab1a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	PE32 executable (GUI) Intel 80386, for MS Windows	05C8F3700C6327871C199BE6417C5C9C	8F4862310762601E271AC27535382D5C7ED740E7	18CD20DD8567CE6137508F9DECE0571F32741DDAA15D8884AD090A4DCE7BAB1A
C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\Tasks\rapes.job	data	F369CE6600899AA95AB321BD7286944B	9777BF2E0A7D00B28EEC68AD7B681401D83057A1	2FCD7AFAFF0EC1CAD221AEDEA28C9F33B9A7B3E1150BB0D48895AD1218D91F4E

Windows Analysis Report
BakvzfVilG.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report BakvzfVilG.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
BakvzfVilG.exe

Malware Threat Intel
Provided by