Windows Analysis Report
90ZF1EDs9h.exe

Overview

General Information

Sample name: 90ZF1EDs9h.exe
renamed because original name is a hash value
Original sample name: 9437d6cf2745f8683c3aa908e01b03cf.exe
Analysis ID: 1461305
MD5: 9437d6cf2745f8683c3aa908e01b03cf
SHA1: 4b954d00882c8249d11b61440976b2993ae4738a
SHA256: d3d0eeab1a06460ed303b065248db53d47bfd5c253324b0d2f9efcc2dc700a47
Tags: 32exetrojan
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 50%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 53% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 53% Perma Link
Multi AV Scanner detection for submitted file
Source: 90ZF1EDs9h.exe Virustotal: Detection: 53% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 90ZF1EDs9h.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 90ZF1EDs9h.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49751 version: TLS 1.2

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49733
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49735
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49733
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49735 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49747
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49747 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49735
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49747
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 77.91.77.66:58709
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View IP Address: 77.91.77.66 77.91.77.66
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_00049280 recv,WSASend, 0_2_00049280
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: 90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302053976.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319159509.0000000000E53000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E54000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: MPGPH131.exe, 00000005.00000002.2965341053.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33$
Source: MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302053976.0000000000D83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33S
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/l/.
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33J
Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.2964515667.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319200721.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/W&
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000E01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/alj
Source: 90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/s
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/tuO
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B86000.00000004.00000020.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: RageMP131.exe, 00000007.00000002.2965177153.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33#H
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33H
Source: MPGPH131.exe, 00000005.00000002.2965341053.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33q
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33~
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT8?
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTz
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro
Source: MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/riseproD
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/riseproF
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botA$
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botGc
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botSS
Source: RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botj/
Source: RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botp
Source: 90ZF1EDs9h.exe, 00000000.00000002.2975858179.0000000007720000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.v
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49751 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: 90ZF1EDs9h.exe Static PE information: section name:
Source: 90ZF1EDs9h.exe Static PE information: section name: .idata
Source: 90ZF1EDs9h.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_0007A928 0_2_0007A928
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_0007C960 0_2_0007C960
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_000771A0 0_2_000771A0
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_0008DA86 0_2_0008DA86
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_0008036F 0_2_0008036F
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_00098BB0 0_2_00098BB0
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_0012FC40 0_2_0012FC40
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_0006F580 0_2_0006F580
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_000947BF 0_2_000947BF
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_00132FD0 0_2_00132FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_001CA928 5_2_001CA928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_001CC960 5_2_001CC960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_001C71A0 5_2_001C71A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_001DDA86 5_2_001DDA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_001D036F 5_2_001D036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_001E8BB0 5_2_001E8BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0027FC40 5_2_0027FC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_001BF580 5_2_001BF580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_001E47BF 5_2_001E47BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00282FD0 5_2_00282FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001CA928 6_2_001CA928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001CC960 6_2_001CC960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001C71A0 6_2_001C71A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001DDA86 6_2_001DDA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001D036F 6_2_001D036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001E8BB0 6_2_001E8BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0027FC40 6_2_0027FC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001BF580 6_2_001BF580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001E47BF 6_2_001E47BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00282FD0 6_2_00282FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_0041C960 7_2_0041C960
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_0041A928 7_2_0041A928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_004171A0 7_2_004171A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_0042DA86 7_2_0042DA86
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_0042036F 7_2_0042036F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00438BB0 7_2_00438BB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_004CFC40 7_2_004CFC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_0040F580 7_2_0040F580
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00432610 7_2_00432610
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_004D2FD0 7_2_004D2FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_004347BF 7_2_004347BF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_0041C960 9_2_0041C960
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_0041A928 9_2_0041A928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_004171A0 9_2_004171A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_0042DA86 9_2_0042DA86
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_0042036F 9_2_0042036F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00438BB0 9_2_00438BB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_004CFC40 9_2_004CFC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_0040F580 9_2_0040F580
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00432610 9_2_00432610
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_004D2FD0 9_2_004D2FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_004347BF 9_2_004347BF
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 00414380 appears 48 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 001C4380 appears 48 times
Sample file is different than original file name gathered from version info
Source: 90ZF1EDs9h.exe, 00000000.00000000.1647503267.00000000001CA000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedotnet.exe6 vs 90ZF1EDs9h.exe
Source: 90ZF1EDs9h.exe Binary or memory string: OriginalFilenamedotnet.exe6 vs 90ZF1EDs9h.exe
Uses 32bit PE files
Source: 90ZF1EDs9h.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 90ZF1EDs9h.exe Static PE information: Section: ZLIB complexity 0.998056854470803
Source: 90ZF1EDs9h.exe Static PE information: Section: pobzuwwq ZLIB complexity 0.9947049260853293
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.998056854470803
Source: RageMP131.exe.0.dr Static PE information: Section: pobzuwwq ZLIB complexity 0.9947049260853293
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.998056854470803
Source: MPGPH131.exe.0.dr Static PE information: Section: pobzuwwq ZLIB complexity 0.9947049260853293
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@2/3
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 90ZF1EDs9h.exe Virustotal: Detection: 53%
Source: 90ZF1EDs9h.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 90ZF1EDs9h.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe File read: C:\Users\user\Desktop\90ZF1EDs9h.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\90ZF1EDs9h.exe "C:\Users\user\Desktop\90ZF1EDs9h.exe"
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll Jump to behavior
Source: 90ZF1EDs9h.exe Static file information: File size 2432512 > 1048576
Source: 90ZF1EDs9h.exe Static PE information: Raw size of pobzuwwq is bigger than: 0x100000 < 0x1a1800

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Unpacked PE file: 0.2.90ZF1EDs9h.exe.40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 5.2.MPGPH131.exe.190000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.190000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 7.2.RageMP131.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 9.2.RageMP131.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x25d952 should be: 0x253833
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x25d952 should be: 0x253833
Source: 90ZF1EDs9h.exe Static PE information: real checksum: 0x25d952 should be: 0x253833
PE file contains sections with non-standard names
Source: 90ZF1EDs9h.exe Static PE information: section name:
Source: 90ZF1EDs9h.exe Static PE information: section name: .idata
Source: 90ZF1EDs9h.exe Static PE information: section name:
Source: 90ZF1EDs9h.exe Static PE information: section name: pobzuwwq
Source: 90ZF1EDs9h.exe Static PE information: section name: bxltxemr
Source: 90ZF1EDs9h.exe Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: pobzuwwq
Source: RageMP131.exe.0.dr Static PE information: section name: bxltxemr
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: pobzuwwq
Source: MPGPH131.exe.0.dr Static PE information: section name: bxltxemr
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_00073F59 push ecx; ret 0_2_00073F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_001C3F59 push ecx; ret 5_2_001C3F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001C3F59 push ecx; ret 6_2_001C3F6C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_00413F59 push ecx; ret 7_2_00413F6C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_04F808D0 push cs; iretd 7_2_04F808DA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00413F59 push ecx; ret 9_2_00413F6C
Source: 90ZF1EDs9h.exe Static PE information: section name: entropy: 7.980016205845924
Source: 90ZF1EDs9h.exe Static PE information: section name: pobzuwwq entropy: 7.953477305499687
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.980016205845924
Source: RageMP131.exe.0.dr Static PE information: section name: pobzuwwq entropy: 7.953477305499687
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.980016205845924
Source: MPGPH131.exe.0.dr Static PE information: section name: pobzuwwq entropy: 7.953477305499687
Drops PE files
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 1D0B72 second address: 1D0B78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 1D0B78 second address: 1D0B7D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 338A6D second address: 338AB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB6h 0x00000007 jo 00007F7374772AA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jmp 00007F7374772AB1h 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jmp 00007F7374772AB5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3499FB second address: 3499FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C045 second address: 1D0B72 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7374772AA8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 2ED4FAD4h 0x00000013 or cl, FFFFFFF2h 0x00000016 push dword ptr [ebp+122D12B5h] 0x0000001c add dword ptr [ebp+122D2BC2h], edi 0x00000022 mov edi, dword ptr [ebp+122D3794h] 0x00000028 call dword ptr [ebp+122D1BF2h] 0x0000002e pushad 0x0000002f jnp 00007F7374772ABDh 0x00000035 jmp 00007F7374772AB7h 0x0000003a xor eax, eax 0x0000003c cmc 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 jmp 00007F7374772AB3h 0x00000046 mov dword ptr [ebp+122D38D4h], eax 0x0000004c mov dword ptr [ebp+122D19F2h], ecx 0x00000052 mov esi, 0000003Ch 0x00000057 add dword ptr [ebp+122D19F2h], eax 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 pushad 0x00000062 mov dword ptr [ebp+122D19F2h], esi 0x00000068 jg 00007F7374772AACh 0x0000006e popad 0x0000006f lodsw 0x00000071 jmp 00007F7374772AAAh 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a jne 00007F7374772AB8h 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 cld 0x00000085 nop 0x00000086 push eax 0x00000087 push edx 0x00000088 push eax 0x00000089 push edx 0x0000008a jmp 00007F7374772AB2h 0x0000008f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C1BC second address: 34C1E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F737512BAEAh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F737512BAF1h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C1E2 second address: 34C1EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F7374772AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C1EC second address: 34C226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edx, 6DE091C7h 0x00000011 push 00000000h 0x00000013 jl 00007F737512BAECh 0x00000019 mov dword ptr [ebp+122D1824h], eax 0x0000001f push 8D57C73Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 push edi 0x00000027 js 00007F737512BAE6h 0x0000002d pop edi 0x0000002e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C226 second address: 34C22C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C22C second address: 34C230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C230 second address: 34C234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C234 second address: 34C2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 72A83944h 0x0000000f jmp 00007F737512BAF6h 0x00000014 push 00000003h 0x00000016 mov dword ptr [ebp+122D18F7h], edx 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F737512BAE8h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000017h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 call 00007F737512BAEBh 0x0000003d sub dword ptr [ebp+122D2BB5h], edx 0x00000043 pop esi 0x00000044 push 00000003h 0x00000046 mov ecx, edx 0x00000048 call 00007F737512BAE9h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C2A6 second address: 34C2AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C2AA second address: 34C2C7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jp 00007F737512BAECh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C2C7 second address: 34C2CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C2CB second address: 34C2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d jbe 00007F737512BAE6h 0x00000013 jp 00007F737512BAE6h 0x00000019 popad 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C2E8 second address: 34C2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C2F6 second address: 34C3B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F737512BAF8h 0x00000012 pop eax 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F737512BAE8h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d call 00007F737512BAF6h 0x00000032 pushad 0x00000033 jnc 00007F737512BAE6h 0x00000039 pushad 0x0000003a popad 0x0000003b popad 0x0000003c pop edi 0x0000003d mov esi, 611F30B0h 0x00000042 lea ebx, dword ptr [ebp+1244EF7Ch] 0x00000048 push 00000000h 0x0000004a push eax 0x0000004b call 00007F737512BAE8h 0x00000050 pop eax 0x00000051 mov dword ptr [esp+04h], eax 0x00000055 add dword ptr [esp+04h], 00000016h 0x0000005d inc eax 0x0000005e push eax 0x0000005f ret 0x00000060 pop eax 0x00000061 ret 0x00000062 pushad 0x00000063 mov ecx, dword ptr [ebp+122D3828h] 0x00000069 mov ebx, dword ptr [ebp+122D3067h] 0x0000006f popad 0x00000070 sub dword ptr [ebp+122D1BB1h], ecx 0x00000076 xchg eax, ebx 0x00000077 jnl 00007F737512BAF2h 0x0000007d je 00007F737512BAECh 0x00000083 push eax 0x00000084 push edx 0x00000085 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C3B9 second address: 34C3CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7374772AAAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C3CB second address: 34C3CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C3CF second address: 34C3D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 34C3D9 second address: 34C3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 36AC68 second address: 36AC94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7374772AA6h 0x0000000a jmp 00007F7374772AADh 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 jmp 00007F7374772AAAh 0x00000017 jl 00007F7374772AB2h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 36B336 second address: 36B33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 36B33C second address: 36B345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 36B9BD second address: 36B9C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 36B9C2 second address: 36B9D8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7374772AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F7374772AA6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 36BB3C second address: 36BB76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F737512BAF1h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F737512BB01h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 36C581 second address: 36C58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 36C58B second address: 36C59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F737512BAE6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 372EF1 second address: 372EF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 333AEC second address: 333AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAEDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 333AFD second address: 333B11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 373C96 second address: 373CB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F737512BAE8h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 374416 second address: 37441C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37441C second address: 374422 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37908C second address: 37909C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F7374772AA6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 378771 second address: 378776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 378776 second address: 37877C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37877C second address: 378780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 378BDD second address: 378BE7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7374772AA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 378ED4 second address: 378EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 378EDD second address: 378EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 378EE1 second address: 378EE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 378EE5 second address: 378F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7374772AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AB1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 378F04 second address: 378F2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F737512BAE6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37AEE6 second address: 37AEFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007F7374772AA6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F7374772AA6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37AEFD second address: 37AF07 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37AF91 second address: 37AF9B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37AF9B second address: 37AFA0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37B0C4 second address: 37B0C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37B6C2 second address: 37B6C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37B6C8 second address: 37B6E8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7374772AA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F7374772AAFh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37C114 second address: 37C11D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37C19E second address: 37C1B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37C1B2 second address: 37C20A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F737512BAEBh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F737512BAE8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 xor dword ptr [ebp+122D18F7h], esi 0x0000002e jmp 00007F737512BAECh 0x00000033 or di, 3297h 0x00000038 push eax 0x00000039 jp 00007F737512BAEEh 0x0000003f push ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37C6A2 second address: 37C6A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37C6A8 second address: 37C6AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37D0A1 second address: 37D0A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37D0A5 second address: 37D0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37CF1B second address: 37CF21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37D0AB second address: 37D0C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37D0C5 second address: 37D157 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F7374772AA8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 movsx edi, bx 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebp 0x0000002c call 00007F7374772AA8h 0x00000031 pop ebp 0x00000032 mov dword ptr [esp+04h], ebp 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc ebp 0x0000003f push ebp 0x00000040 ret 0x00000041 pop ebp 0x00000042 ret 0x00000043 xor edi, dword ptr [ebp+122D3830h] 0x00000049 push 00000000h 0x0000004b jmp 00007F7374772AB0h 0x00000050 xchg eax, ebx 0x00000051 jl 00007F7374772AB7h 0x00000057 push eax 0x00000058 jnl 00007F7374772AAEh 0x0000005e push esi 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37ED09 second address: 37ED27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F737512BAF3h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37EAA6 second address: 37EAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37ED27 second address: 37EDC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F737512BAE8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push esi 0x00000026 add dword ptr [ebp+122D2BC7h], ecx 0x0000002c pop esi 0x0000002d mov dword ptr [ebp+122D2B0Fh], esi 0x00000033 push 00000000h 0x00000035 jnp 00007F737512BAECh 0x0000003b mov dword ptr [ebp+122D2F8Bh], edx 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push esi 0x00000046 call 00007F737512BAE8h 0x0000004b pop esi 0x0000004c mov dword ptr [esp+04h], esi 0x00000050 add dword ptr [esp+04h], 0000001Dh 0x00000058 inc esi 0x00000059 push esi 0x0000005a ret 0x0000005b pop esi 0x0000005c ret 0x0000005d mov edi, 1D3373FBh 0x00000062 xchg eax, ebx 0x00000063 jmp 00007F737512BAF3h 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F737512BAEAh 0x00000070 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37EAAA second address: 37EAAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37EAAE second address: 37EAB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37F82F second address: 37F833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37EAB4 second address: 37EABE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F737512BAE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37F5CE second address: 37F5D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37F833 second address: 37F877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a adc di, 9C7Ch 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F737512BAE8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov si, 2D54h 0x0000002f push 00000000h 0x00000031 xor edi, 5BA521C3h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jns 00007F737512BAE6h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 37F877 second address: 37F87D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3802C8 second address: 3802CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 38005D second address: 380065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3802CC second address: 380314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F737512BAE8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov esi, dword ptr [ebp+1247D45Bh] 0x0000002a push 00000000h 0x0000002c mov si, dx 0x0000002f push 00000000h 0x00000031 mov di, dx 0x00000034 mov esi, dword ptr [ebp+122D38F4h] 0x0000003a push eax 0x0000003b jc 00007F737512BAF0h 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3817F0 second address: 38183E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnl 00007F7374772AB9h 0x0000000e nop 0x0000000f movsx edi, bx 0x00000012 push 00000000h 0x00000014 mov edi, dword ptr [ebp+122D392Ch] 0x0000001a push 00000000h 0x0000001c xchg eax, ebx 0x0000001d jmp 00007F7374772AB8h 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 380B3F second address: 380B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 380B48 second address: 380B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3820FF second address: 382103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 38927A second address: 389282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 389282 second address: 389292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F737512BAE6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 38753D second address: 387542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 389861 second address: 389866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 38A850 second address: 38A86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jp 00007F7374772AA8h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 je 00007F7374772AACh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3899D4 second address: 389A87 instructions: 0x00000000 rdtsc 0x00000002 js 00007F737512BAE8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e jmp 00007F737512BAEEh 0x00000013 pop edi 0x00000014 nop 0x00000015 jmp 00007F737512BAF4h 0x0000001a push dword ptr fs:[00000000h] 0x00000021 jmp 00007F737512BAF5h 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d jmp 00007F737512BAF6h 0x00000032 mov eax, dword ptr [ebp+122D0C2Dh] 0x00000038 js 00007F737512BAE7h 0x0000003e cmc 0x0000003f push FFFFFFFFh 0x00000041 push 00000000h 0x00000043 push edi 0x00000044 call 00007F737512BAE8h 0x00000049 pop edi 0x0000004a mov dword ptr [esp+04h], edi 0x0000004e add dword ptr [esp+04h], 0000001Ch 0x00000056 inc edi 0x00000057 push edi 0x00000058 ret 0x00000059 pop edi 0x0000005a ret 0x0000005b nop 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F737512BAF2h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 38A86A second address: 38A8C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7374772AB4h 0x00000009 popad 0x0000000a nop 0x0000000b mov dword ptr [ebp+1244A37Ch], ecx 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 mov ebx, 58271747h 0x00000019 pop edi 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F7374772AA8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 push eax 0x00000037 js 00007F7374772AB0h 0x0000003d pushad 0x0000003e pushad 0x0000003f popad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 389A87 second address: 389AAD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F737512BAF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jng 00007F737512BAECh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 38C834 second address: 38C83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 38BA1C second address: 38BA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAF4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 38C83B second address: 38C862 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AAEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 38BA35 second address: 38BAD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a cld 0x0000000b push dword ptr fs:[00000000h] 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F737512BAE8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c call 00007F737512BAECh 0x00000031 mov di, 403Ch 0x00000035 pop ebx 0x00000036 mov ebx, dword ptr [ebp+122D3864h] 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 push 00000000h 0x00000045 push ebx 0x00000046 call 00007F737512BAE8h 0x0000004b pop ebx 0x0000004c mov dword ptr [esp+04h], ebx 0x00000050 add dword ptr [esp+04h], 00000015h 0x00000058 inc ebx 0x00000059 push ebx 0x0000005a ret 0x0000005b pop ebx 0x0000005c ret 0x0000005d mov eax, dword ptr [ebp+122D031Dh] 0x00000063 mov di, B200h 0x00000067 push FFFFFFFFh 0x00000069 pushad 0x0000006a movzx edx, bx 0x0000006d mov edx, dword ptr [ebp+122D1C68h] 0x00000073 popad 0x00000074 push eax 0x00000075 jc 00007F737512BAEEh 0x0000007b push edi 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 38C862 second address: 38C868 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 391CEC second address: 391CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 390F33 second address: 390FA7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7374772AA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, dword ptr [ebp+122D2935h] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov di, E382h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F7374772AA8h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000015h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f mov ebx, dword ptr [ebp+1244B59Dh] 0x00000045 mov eax, dword ptr [ebp+122D0DD5h] 0x0000004b push FFFFFFFFh 0x0000004d jmp 00007F7374772AB7h 0x00000052 nop 0x00000053 jo 00007F7374772AB0h 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 393C52 second address: 393C75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F737512BAF8h 0x00000008 ja 00007F737512BAE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3304C9 second address: 3304CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3304CD second address: 3304D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3942EB second address: 3942F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3942F1 second address: 394368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ebx, dword ptr [ebp+122D1882h] 0x00000010 push 00000000h 0x00000012 mov bl, E7h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F737512BAE8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 call 00007F737512BAF2h 0x00000035 mov dword ptr [ebp+122D2AF9h], esi 0x0000003b pop ebx 0x0000003c push eax 0x0000003d jng 00007F737512BB02h 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F737512BAF4h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 391EED second address: 391EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F7374772AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 39632F second address: 396333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 396333 second address: 396339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 396339 second address: 396353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F737512BAF5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 39826B second address: 398270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 398270 second address: 3982E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F737512BAEEh 0x00000010 jne 00007F737512BAF6h 0x00000016 popad 0x00000017 nop 0x00000018 mov di, 61E9h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F737512BAE8h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 0000001Dh 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 mov dword ptr [ebp+1244D8C8h], esi 0x0000003e push 00000000h 0x00000040 mov ebx, dword ptr [ebp+122D37A8h] 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 push esi 0x00000049 ja 00007F737512BAE6h 0x0000004f pop esi 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3982E8 second address: 3982EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3991FC second address: 39921A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAF9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3954CB second address: 3954D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 39A248 second address: 39A24D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 39C30E second address: 39C313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 39C313 second address: 39C320 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F737512BAE6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3A39E0 second address: 3A39E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3A39E6 second address: 3A39EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3A3575 second address: 3A357F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7374772AA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3A357F second address: 3A3585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 39A388 second address: 39A38C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3A6EE1 second address: 1D0B72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jg 00007F737512BAE8h 0x00000014 jmp 00007F737512BAECh 0x00000019 popad 0x0000001a pop eax 0x0000001b jmp 00007F737512BAF3h 0x00000020 push dword ptr [ebp+122D12B5h] 0x00000026 jmp 00007F737512BAEEh 0x0000002b call dword ptr [ebp+122D1BF2h] 0x00000031 pushad 0x00000032 jnp 00007F737512BAFDh 0x00000038 jmp 00007F737512BAF7h 0x0000003d xor eax, eax 0x0000003f cmc 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 jmp 00007F737512BAF3h 0x00000049 mov dword ptr [ebp+122D38D4h], eax 0x0000004f mov dword ptr [ebp+122D19F2h], ecx 0x00000055 mov esi, 0000003Ch 0x0000005a add dword ptr [ebp+122D19F2h], eax 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 pushad 0x00000065 mov dword ptr [ebp+122D19F2h], esi 0x0000006b jg 00007F737512BAECh 0x00000071 popad 0x00000072 lodsw 0x00000074 jmp 00007F737512BAEAh 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d jne 00007F737512BAF8h 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 cld 0x00000088 nop 0x00000089 push eax 0x0000008a push edx 0x0000008b push eax 0x0000008c push edx 0x0000008d jmp 00007F737512BAF2h 0x00000092 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 399428 second address: 399493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b movzx esi, bx 0x0000000e mov edx, dword ptr [ebp+122D19F7h] 0x00000014 popad 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F7374772AA8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 mov bx, di 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov edi, dword ptr [ebp+122D39D8h] 0x00000046 sbb edi, 2EDA0B3Eh 0x0000004c mov eax, dword ptr [ebp+122D0159h] 0x00000052 mov bx, B334h 0x00000056 push FFFFFFFFh 0x00000058 mov dword ptr [ebp+122D2FBDh], edx 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 push ebx 0x00000064 pop ebx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 399493 second address: 3994AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3994AC second address: 3994C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AB5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 398476 second address: 39849C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jng 00007F737512BAE6h 0x00000010 jmp 00007F737512BAF5h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3AE22D second address: 3AE233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3AE233 second address: 3AE237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3AEA99 second address: 3AEA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3AEBB5 second address: 3AEBB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3AEBB9 second address: 3AEC38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB9h 0x00000007 jmp 00007F7374772AB8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F7374772AADh 0x00000013 push ebx 0x00000014 pushad 0x00000015 jmp 00007F7374772AB9h 0x0000001a jmp 00007F7374772AB7h 0x0000001f jg 00007F7374772AA6h 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3B5FD9 second address: 3B6010 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F737512BAF9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F737512BAE8h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F737512BAEBh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3B6010 second address: 3B601A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3B5446 second address: 3B544A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3B5776 second address: 3B577B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3B577B second address: 3B5792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007F737512BAEAh 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3B58C5 second address: 3B58C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3B58C9 second address: 3B58F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F737512BAE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F737512BAEDh 0x00000011 jmp 00007F737512BAEDh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3BA614 second address: 3BA62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7374772AAFh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3844FD second address: 1D0B72 instructions: 0x00000000 rdtsc 0x00000002 je 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F737512BAECh 0x00000011 nop 0x00000012 mov ecx, eax 0x00000014 push dword ptr [ebp+122D12B5h] 0x0000001a mov ecx, dword ptr [ebp+122D2BE6h] 0x00000020 call dword ptr [ebp+122D1BF2h] 0x00000026 pushad 0x00000027 jnp 00007F737512BAFDh 0x0000002d xor eax, eax 0x0000002f cmc 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 jmp 00007F737512BAF3h 0x00000039 mov dword ptr [ebp+122D38D4h], eax 0x0000003f mov dword ptr [ebp+122D19F2h], ecx 0x00000045 mov esi, 0000003Ch 0x0000004a add dword ptr [ebp+122D19F2h], eax 0x00000050 add esi, dword ptr [esp+24h] 0x00000054 pushad 0x00000055 mov dword ptr [ebp+122D19F2h], esi 0x0000005b jg 00007F737512BAECh 0x00000061 popad 0x00000062 lodsw 0x00000064 jmp 00007F737512BAEAh 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d jne 00007F737512BAF8h 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 cld 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007F737512BAF2h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 384651 second address: 3846C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7374772AAFh 0x0000000e popad 0x0000000f add dword ptr [esp], 2B031606h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F7374772AA8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+122D1C05h] 0x00000036 push F37C85ECh 0x0000003b push esi 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F7374772AB6h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3847B7 second address: 3847D0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F737512BAE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F737512BAEAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3847D0 second address: 3847DA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7374772AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 384900 second address: 384906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 384906 second address: 38490C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 38490C second address: 384910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 384E6F second address: 384E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 384FED second address: 384FF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 385125 second address: 38513A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7374772AAEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 38513A second address: 385189 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F737512BAF8h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F737512BAF6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 385208 second address: 385212 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 385212 second address: 385216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 385216 second address: 38528F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a add ecx, 0F3C936Ah 0x00000010 lea eax, dword ptr [ebp+12486E6Ch] 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F7374772AA8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov dword ptr [ebp+122D2BC7h], ebx 0x00000036 push eax 0x00000037 jmp 00007F7374772AAEh 0x0000003c mov dword ptr [esp], eax 0x0000003f mov edx, dword ptr [ebp+122D1AF9h] 0x00000045 mov dx, BD87h 0x00000049 lea eax, dword ptr [ebp+12486E28h] 0x0000004f mov di, ax 0x00000052 nop 0x00000053 pushad 0x00000054 push eax 0x00000055 pushad 0x00000056 popad 0x00000057 pop eax 0x00000058 jg 00007F7374772AA8h 0x0000005e popad 0x0000005f push eax 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 push esi 0x00000064 pop esi 0x00000065 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 38528F second address: 3852A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3B9D4F second address: 3B9D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3BA1C9 second address: 3BA1CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3BA1CD second address: 3BA1E9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F7374772AB3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3BA1E9 second address: 3BA209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAEDh 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F737512BAEBh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3BD2AC second address: 3BD2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jne 00007F7374772AA6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3BD2B8 second address: 3BD2BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 33C016 second address: 33C052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7374772AB0h 0x00000014 pushad 0x00000015 jnp 00007F7374772AA6h 0x0000001b jmp 00007F7374772AAFh 0x00000020 jnp 00007F7374772AA6h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C16AB second address: 3C16B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C16B0 second address: 3C16BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C1A84 second address: 3C1AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jnp 00007F737512BAEEh 0x0000000c jne 00007F737512BAE6h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F737512BAEDh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C1AA9 second address: 3C1AD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F7374772AAEh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AB1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C1F8E second address: 3C1FA8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F737512BAF0h 0x00000010 jmp 00007F737512BAEAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C24CB second address: 3C24D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C24D1 second address: 3C24DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C24DC second address: 3C24ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007F7374772AACh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C24ED second address: 3C24F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C24F2 second address: 3C24F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C24F8 second address: 3C24FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C24FE second address: 3C2504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C264F second address: 3C2655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C2655 second address: 3C2659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C139D second address: 3C13AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAECh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C63C1 second address: 3C63C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C63C5 second address: 3C63CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C63CB second address: 3C63E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7374772AB0h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C63E1 second address: 3C6401 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F737512BAF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C6401 second address: 3C6407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3C6407 second address: 3C642C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F737512BAE6h 0x0000000a jbe 00007F737512BAE6h 0x00000010 popad 0x00000011 jmp 00007F737512BAEDh 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3CB6EC second address: 3CB6FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F7374772AA6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3CAFFA second address: 3CB009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jl 00007F737512BAE6h 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3CB009 second address: 3CB026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3CB16E second address: 3CB172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3CB421 second address: 3CB42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3CF3D8 second address: 3CF3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3CED40 second address: 3CED60 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7374772AA6h 0x00000008 jmp 00007F7374772AB1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3CEE8D second address: 3CEE92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3CEE92 second address: 3CEEAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jng 00007F7374772AA6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F7374772AC1h 0x00000012 je 00007F7374772AACh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3CF0FF second address: 3CF103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3CF103 second address: 3CF10B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3CF10B second address: 3CF13A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F737512BAF1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D3F7C second address: 3D3F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D3222 second address: 3D3234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007F737512BAEAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D3234 second address: 3D3242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D3242 second address: 3D3257 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F737512BAF0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D33BC second address: 3D33EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB2h 0x00000007 jmp 00007F7374772AB9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D33EE second address: 3D33F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D33F4 second address: 3D33FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D36CD second address: 3D36D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D36D3 second address: 3D36E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F7374772AA8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D36E1 second address: 3D36E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D36E8 second address: 3D36EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D381F second address: 3D3827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D3827 second address: 3D3846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F7374772AA6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F7374772AAEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D3846 second address: 3D3860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jl 00007F737512BB1Bh 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jg 00007F737512BAE6h 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D3860 second address: 3D3877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7374772AAFh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D98C4 second address: 3D98E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F737512BAF6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D98E0 second address: 3D98FD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F7374772AB1h 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D98FD second address: 3D9906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D9906 second address: 3D990A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D81C3 second address: 3D81C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D81C8 second address: 3D81CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D81CE second address: 3D81D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D81D2 second address: 3D81F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F7374772AACh 0x0000000e jnc 00007F7374772AA6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D81F0 second address: 3D81F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D81F4 second address: 3D81FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D863E second address: 3D8648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F737512BAE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3D8648 second address: 3D865A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F7374772AA6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 384CDD second address: 384CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3DAECF second address: 3DAED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E0397 second address: 3E039D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E120F second address: 3E1213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E1213 second address: 3E1217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E1531 second address: 3E154F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7374772AA6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F7374772AACh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E154F second address: 3E1553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E1553 second address: 3E1565 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F7374772AA6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E1DE4 second address: 3E1DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E1DEB second address: 3E1DF9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7374772AA8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E1DF9 second address: 3E1DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E2091 second address: 3E20BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7374772AB0h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jnp 00007F7374772AA6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F7374772AA6h 0x00000019 jl 00007F7374772AA6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E6123 second address: 3E6142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F737512BAF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E640A second address: 3E6418 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E6568 second address: 3E656C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E656C second address: 3E6589 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AADh 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F7374772AA6h 0x0000000f jng 00007F7374772AA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E6849 second address: 3E6861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F737512BAF3h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E6861 second address: 3E68B1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7374772AA8h 0x00000008 jmp 00007F7374772AB1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 jmp 00007F7374772AACh 0x00000016 pop edi 0x00000017 jnl 00007F7374772AA8h 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007F7374772AB9h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E69DC second address: 3E6A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 jmp 00007F737512BAEDh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F737512BAECh 0x00000015 jmp 00007F737512BAEFh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E6A0F second address: 3E6A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E6CD6 second address: 3E6CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3E6CDC second address: 3E6CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7374772AB2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3EB7C1 second address: 3EB7C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3EB7C6 second address: 3EB7F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB2h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7374772AB4h 0x0000000e jns 00007F7374772AA6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F4DC3 second address: 3F4DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F4DC9 second address: 3F4DDE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnl 00007F7374772AA6h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F4DDE second address: 3F4DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F4DE9 second address: 3F4DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F4DF1 second address: 3F4E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F737512BAE6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F4E02 second address: 3F4E1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F32B7 second address: 3F32BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F32BB second address: 3F32BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F32BF second address: 3F32C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F35CC second address: 3F35E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F7374772AAEh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F35E1 second address: 3F35F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jc 00007F737512BAE6h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F3784 second address: 3F37A1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7374772AA6h 0x00000008 jmp 00007F7374772AB0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F390C second address: 3F3910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F3ACA second address: 3F3AF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F3E04 second address: 3F3E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F3E08 second address: 3F3E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F4C3A second address: 3F4C44 instructions: 0x00000000 rdtsc 0x00000002 js 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3F4C44 second address: 3F4C49 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3FA78E second address: 3FA797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3FA797 second address: 3FA7B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7374772AB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3FA7B4 second address: 3FA7CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3FA7CA second address: 3FA7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3FA32B second address: 3FA351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F737512BAE6h 0x0000000a popad 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e je 00007F737512BAE6h 0x00000014 pop edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F737512BAECh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3FA351 second address: 3FA357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3FA488 second address: 3FA492 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3FA492 second address: 3FA496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3FA496 second address: 3FA49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3FA49E second address: 3FA4A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3FA4A4 second address: 3FA4C8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F737512BAE6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F737512BAEFh 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 3FA4C8 second address: 3FA4DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7374772AA6h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e js 00007F7374772AA6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4081EA second address: 4081F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4081F2 second address: 4081F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4081F6 second address: 408210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F737512BAF4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 40BEFD second address: 40BF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 40BF08 second address: 40BF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 40BF0C second address: 40BF27 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F7374772AA8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 40BF27 second address: 40BF40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF3h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4135C2 second address: 4135C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 41341D second address: 413423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 413423 second address: 413429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 413429 second address: 41342D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 41C660 second address: 41C664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 42164C second address: 421672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAF0h 0x00000009 jmp 00007F737512BAF1h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 421672 second address: 42167E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F7374772AA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 42167E second address: 42169C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F737512BAEBh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 42169C second address: 4216A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4217CA second address: 4217CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 421EF9 second address: 421EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 422A8F second address: 422A95 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 427508 second address: 42750E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 43D3D0 second address: 43D3D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 43D3D9 second address: 43D3DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 44AEC5 second address: 44AEC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 44C6E5 second address: 44C6EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 44C6EB second address: 44C6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 44E509 second address: 44E515 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F7374772AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 477ED0 second address: 477ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 477ED4 second address: 477EE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AAAh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 478184 second address: 478196 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F737512BAE6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 478304 second address: 47830A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 47830A second address: 47830F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 47830F second address: 478315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 478315 second address: 47831B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 47831B second address: 478358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AACh 0x00000007 jne 00007F7374772AA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 je 00007F7374772AC9h 0x00000017 jmp 00007F7374772AB7h 0x0000001c jc 00007F7374772AACh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 478465 second address: 47846F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 478B53 second address: 478B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 47D00D second address: 47D011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 47D011 second address: 47D017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 47D017 second address: 47D021 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F737512BAECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 47D62D second address: 47D631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 47D631 second address: 47D63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 47D63B second address: 47D63F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 47EFA9 second address: 47EFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 47EFAF second address: 47EFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 47EAC0 second address: 47EAC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 47EAC6 second address: 47EACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B406E4 second address: 4B40748 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F737512BAF6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 call 00007F737512BAECh 0x00000018 pop esi 0x00000019 pushfd 0x0000001a jmp 00007F737512BAEBh 0x0000001f xor esi, 73258A6Eh 0x00000025 jmp 00007F737512BAF9h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B40748 second address: 4B407A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7374772AB7h 0x00000009 or si, D07Eh 0x0000000e jmp 00007F7374772AB9h 0x00000013 popfd 0x00000014 mov bx, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F7374772AAAh 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 mov bh, ah 0x00000025 mov si, di 0x00000028 popad 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push eax 0x0000002e pop edi 0x0000002f push eax 0x00000030 pop edi 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B10128 second address: 4B10173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F737512BAEDh 0x0000000b adc ecx, 54075586h 0x00000011 jmp 00007F737512BAF1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F737512BAF8h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B10173 second address: 4B10177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B10177 second address: 4B1017D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B1017D second address: 4B101BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7374772AACh 0x00000009 xor cl, FFFFFF88h 0x0000000c jmp 00007F7374772AABh 0x00000011 popfd 0x00000012 movzx eax, dx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007F7374772AB2h 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B101BC second address: 4B101C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B101C0 second address: 4B101C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B101C6 second address: 4B10252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007F737512BAEEh 0x00000011 pushfd 0x00000012 jmp 00007F737512BAF2h 0x00000017 and cl, FFFFFFA8h 0x0000001a jmp 00007F737512BAEBh 0x0000001f popfd 0x00000020 pop ecx 0x00000021 pushfd 0x00000022 jmp 00007F737512BAF9h 0x00000027 adc ah, FFFFFFC6h 0x0000002a jmp 00007F737512BAF1h 0x0000002f popfd 0x00000030 popad 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F737512BAEDh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B800AF second address: 4B800B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B00D57 second address: 4B00D6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B00D6B second address: 4B00E1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F7374772AB6h 0x00000010 push dword ptr [ebp+04h] 0x00000013 jmp 00007F7374772AB0h 0x00000018 push dword ptr [ebp+0Ch] 0x0000001b pushad 0x0000001c pushad 0x0000001d jmp 00007F7374772AACh 0x00000022 pushfd 0x00000023 jmp 00007F7374772AB2h 0x00000028 add al, 00000008h 0x0000002b jmp 00007F7374772AABh 0x00000030 popfd 0x00000031 popad 0x00000032 pushfd 0x00000033 jmp 00007F7374772AB8h 0x00000038 and ah, 00000068h 0x0000003b jmp 00007F7374772AABh 0x00000040 popfd 0x00000041 popad 0x00000042 push dword ptr [ebp+08h] 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F7374772AB5h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B00E1C second address: 4B00E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B00E2C second address: 4B00E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B00E69 second address: 4B00E6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B00E6F second address: 4B00E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B00E73 second address: 4B00E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70CA7 second address: 4B70CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70CAB second address: 4B70CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70CB1 second address: 4B70CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70CCE second address: 4B70CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70CD2 second address: 4B70CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70CE2 second address: 4B70CE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70CE6 second address: 4B70CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70CEC second address: 4B70CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70CF2 second address: 4B70CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70CF6 second address: 4B70D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F737512BAF2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70D13 second address: 4B70D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70D19 second address: 4B70D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50B4E second address: 4B50B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50B53 second address: 4B50B59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50B59 second address: 4B50B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50B5D second address: 4B50B87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F737512BAF0h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50B87 second address: 4B50B8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50B8D second address: 4B50B93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50B93 second address: 4B50B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50B97 second address: 4B50BB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F737512BAEFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50BB3 second address: 4B50BB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50BB7 second address: 4B50BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50BBD second address: 4B50BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50BCC second address: 4B50BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50BD0 second address: 4B50BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50BDF second address: 4B50C06 instructions: 0x00000000 rdtsc 0x00000002 mov dl, BAh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop edx 0x00000009 movzx esi, dx 0x0000000c popad 0x0000000d popad 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F737512BAF6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50C06 second address: 4B50C18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50C18 second address: 4B50C1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4BA00EB second address: 4BA0110 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7374772AADh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80CC1 second address: 4B80CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80CC7 second address: 4B80CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80CCB second address: 4B80CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80CCF second address: 4B80CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ecx, 340D98D3h 0x0000000f push eax 0x00000010 mov bl, C8h 0x00000012 pop ecx 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80CE7 second address: 4B80D29 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F737512BAF2h 0x00000008 add ax, FF88h 0x0000000d jmp 00007F737512BAEBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F737512BAF5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80D29 second address: 4B80D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80D2F second address: 4B80D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B10815 second address: 4B10828 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B10828 second address: 4B1082E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B1082E second address: 4B10832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B10832 second address: 4B10850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F737512BAEEh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B10850 second address: 4B10854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B10854 second address: 4B1085A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B1085A second address: 4B10869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B10869 second address: 4B10879 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B10879 second address: 4B1087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B1087D second address: 4B10881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B10881 second address: 4B10887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70D47 second address: 4B70DB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F737512BAF7h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F737512BAF9h 0x0000000f adc al, 00000006h 0x00000012 jmp 00007F737512BAF1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F737512BAEEh 0x00000021 push eax 0x00000022 jmp 00007F737512BAEBh 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70DB6 second address: 4B70DBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70DBA second address: 4B70DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80466 second address: 4B804A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 mov ah, bh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F7374772AAFh 0x00000014 xor si, 84BEh 0x00000019 jmp 00007F7374772AB9h 0x0000001e popfd 0x0000001f mov ax, EA07h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B804A8 second address: 4B804B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov bl, DAh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B804B9 second address: 4B804BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B804BF second address: 4B804C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 7AED81A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B804C9 second address: 4B80524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 mov edi, 47B7CD2Ch 0x0000000e mov dl, 90h 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 call 00007F7374772AB9h 0x0000001b pop ecx 0x0000001c pushfd 0x0000001d jmp 00007F7374772AB1h 0x00000022 sub ecx, 02504466h 0x00000028 jmp 00007F7374772AB1h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80524 second address: 4B80550 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 push edi 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp+08h] 0x0000000e jmp 00007F737512BAF5h 0x00000013 and dword ptr [eax], 00000000h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80550 second address: 4B80554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80554 second address: 4B80567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80567 second address: 4B805D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7374772AAFh 0x00000009 or al, FFFFFFAEh 0x0000000c jmp 00007F7374772AB9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F7374772AB0h 0x00000018 sbb al, 00000028h 0x0000001b jmp 00007F7374772AABh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 and dword ptr [eax+04h], 00000000h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F7374772AB5h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B805D5 second address: 4B805DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 01227DD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50A6F second address: 4B50AA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F7374772AB5h 0x0000000b jmp 00007F7374772AABh 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov dh, 77h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50AA1 second address: 4B50B02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F737512BAF6h 0x00000009 sbb eax, 029C8068h 0x0000000f jmp 00007F737512BAEBh 0x00000014 popfd 0x00000015 jmp 00007F737512BAF8h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F737512BAF7h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80E96 second address: 4B80E9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80E9C second address: 4B80ECC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F737512BAF8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80ECC second address: 4B80EDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80EDB second address: 4B80EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80EF3 second address: 4B80F17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov ecx, 600E1D8Bh 0x00000013 mov si, 0767h 0x00000017 popad 0x00000018 pop ebp 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B80F17 second address: 4B80F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B307AE second address: 4B307B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B307B2 second address: 4B3082E instructions: 0x00000000 rdtsc 0x00000002 mov ah, 25h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F737512BAF5h 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F737512BAF3h 0x00000014 sub eax, 053B879Eh 0x0000001a jmp 00007F737512BAF9h 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F737512BAEAh 0x0000002b jmp 00007F737512BAF5h 0x00000030 popfd 0x00000031 mov dx, ax 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B3082E second address: 4B30850 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 5D11025Eh 0x00000008 call 00007F7374772AAFh 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B30850 second address: 4B30854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B30854 second address: 4B3085A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B3085A second address: 4B30874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAF6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B30874 second address: 4B3089B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AB9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B3089B second address: 4B308A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B308A1 second address: 4B308C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AAAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B308C0 second address: 4B308CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90A8D second address: 4B90AA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90AA8 second address: 4B90AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90AAD second address: 4B90AEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7374772AABh 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F7374772AB6h 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90AEE second address: 4B90AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90AF2 second address: 4B90B0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90B0F second address: 4B90B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90B15 second address: 4B90B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90B19 second address: 4B90B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F737512BAEBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90B2F second address: 4B90B58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 movsx edx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7374772AB9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90B58 second address: 4B90B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90B68 second address: 4B90C65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [76FB65FCh] 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F7374772AB4h 0x00000017 add esi, 06235C68h 0x0000001d jmp 00007F7374772AABh 0x00000022 popfd 0x00000023 mov ecx, 7AAA125Fh 0x00000028 popad 0x00000029 test eax, eax 0x0000002b pushad 0x0000002c mov ecx, edi 0x0000002e popad 0x0000002f je 00007F73E6B1585Ah 0x00000035 jmp 00007F7374772AB9h 0x0000003a mov ecx, eax 0x0000003c jmp 00007F7374772AAEh 0x00000041 xor eax, dword ptr [ebp+08h] 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007F7374772AB7h 0x0000004b jmp 00007F7374772AB3h 0x00000050 popfd 0x00000051 push ecx 0x00000052 pushfd 0x00000053 jmp 00007F7374772AAFh 0x00000058 and si, 97CEh 0x0000005d jmp 00007F7374772AB9h 0x00000062 popfd 0x00000063 pop eax 0x00000064 popad 0x00000065 and ecx, 1Fh 0x00000068 jmp 00007F7374772AB7h 0x0000006d ror eax, cl 0x0000006f push eax 0x00000070 push edx 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 popad 0x00000075 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90C65 second address: 4B90C6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90C6B second address: 4B90C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B90C71 second address: 4B90C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B5001C second address: 4B50020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50020 second address: 4B50026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50026 second address: 4B5002B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B5002B second address: 4B5003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B5003B second address: 4B5003F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B5003F second address: 4B50045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50045 second address: 4B50091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 508E5755h 0x00000008 mov ah, 13h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f movzx ecx, dx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F7374772AB0h 0x00000019 jmp 00007F7374772AB5h 0x0000001e popfd 0x0000001f popad 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F7374772AADh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50091 second address: 4B50106 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F737512BAF7h 0x00000009 jmp 00007F737512BAF3h 0x0000000e popfd 0x0000000f jmp 00007F737512BAF8h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 jmp 00007F737512BAF0h 0x0000001e and esp, FFFFFFF8h 0x00000021 jmp 00007F737512BAF0h 0x00000026 xchg eax, ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50106 second address: 4B5010D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B5010D second address: 4B50156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ch 0x00000005 mov edi, 72A27252h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F737512BAF8h 0x00000013 xchg eax, ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov dx, 5C80h 0x0000001b call 00007F737512BAF9h 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50156 second address: 4B501F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7374772AB8h 0x00000009 and esi, 5DC63D28h 0x0000000f jmp 00007F7374772AABh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a mov bx, cx 0x0000001d movzx ecx, dx 0x00000020 popad 0x00000021 push eax 0x00000022 jmp 00007F7374772AAAh 0x00000027 xchg eax, ebx 0x00000028 jmp 00007F7374772AB0h 0x0000002d mov ebx, dword ptr [ebp+10h] 0x00000030 jmp 00007F7374772AB0h 0x00000035 xchg eax, esi 0x00000036 jmp 00007F7374772AB0h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007F7374772AACh 0x00000045 add ah, 00000048h 0x00000048 jmp 00007F7374772AABh 0x0000004d popfd 0x0000004e push eax 0x0000004f pop edi 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B501F3 second address: 4B50213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50213 second address: 4B50217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50217 second address: 4B5021B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B5021B second address: 4B50221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50221 second address: 4B50227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50227 second address: 4B5022B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B5022B second address: 4B50286 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e jmp 00007F737512BAF0h 0x00000013 xchg eax, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ecx 0x00000019 pushfd 0x0000001a jmp 00007F737512BAF9h 0x0000001f sub al, FFFFFFD6h 0x00000022 jmp 00007F737512BAF1h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50286 second address: 4B502CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov di, ax 0x0000000d mov bl, ah 0x0000000f popad 0x00000010 xchg eax, edi 0x00000011 jmp 00007F7374772AB9h 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F7374772AB8h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B502CE second address: 4B502DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B502DD second address: 4B502E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B502E3 second address: 4B5032E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F73E7509E10h 0x0000000e jmp 00007F737512BAF7h 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a pushad 0x0000001b movzx esi, bx 0x0000001e mov esi, edx 0x00000020 popad 0x00000021 je 00007F73E7509DFBh 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F737512BAEFh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B5032E second address: 4B50332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50332 second address: 4B50385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, ecx 0x00000008 popad 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007F737512BAF0h 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F737512BAEEh 0x0000001b adc si, 6C08h 0x00000020 jmp 00007F737512BAEBh 0x00000025 popfd 0x00000026 pushad 0x00000027 mov esi, 35138295h 0x0000002c popad 0x0000002d popad 0x0000002e test edx, 61000000h 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B50385 second address: 4B5038D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, ax 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B5038D second address: 4B503A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 2914h 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F73E7509DD5h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B503A5 second address: 4B503A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B503A9 second address: 4B503BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B503BB second address: 4B503E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d pushad 0x0000000e mov edi, ecx 0x00000010 mov dx, cx 0x00000013 popad 0x00000014 jne 00007F73E6B50D72h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B503E1 second address: 4B503E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B503E5 second address: 4B503EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70010 second address: 4B7001F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B7001F second address: 4B70025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70025 second address: 4B70029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70029 second address: 4B7002D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B7002D second address: 4B7005C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a mov esi, 47620689h 0x0000000f jmp 00007F737512BAF6h 0x00000014 popad 0x00000015 mov dword ptr [esp], ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B7005C second address: 4B70060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70060 second address: 4B70064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70064 second address: 4B7006A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B7006A second address: 4B700DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 05B4h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c jmp 00007F737512BAF3h 0x00000011 and esp, FFFFFFF8h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F737512BAEBh 0x0000001d jmp 00007F737512BAF3h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F737512BAF8h 0x00000029 xor cx, 40F8h 0x0000002e jmp 00007F737512BAEBh 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B700DA second address: 4B70114 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7374772AAFh 0x00000008 call 00007F7374772AB8h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ah, bl 0x00000017 mov eax, 57B0F01Bh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70114 second address: 4B70124 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70124 second address: 4B70168 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e jmp 00007F7374772AB6h 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F7374772AB7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70168 second address: 4B7016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B7016E second address: 4B70186 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70186 second address: 4B7018A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B7018A second address: 4B70190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70190 second address: 4B701F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov dh, ah 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F737512BAEBh 0x00000014 jmp 00007F737512BAF3h 0x00000019 popfd 0x0000001a popad 0x0000001b popad 0x0000001c mov esi, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F737512BAEBh 0x00000028 jmp 00007F737512BAF3h 0x0000002d popfd 0x0000002e mov ch, 2Eh 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B701F1 second address: 4B70212 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, A6h 0x00000005 call 00007F7374772AADh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebx, 00000000h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70212 second address: 4B7022B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B7022B second address: 4B70231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70231 second address: 4B70235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70235 second address: 4B702C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F7374772AB4h 0x00000014 and ecx, 1A0FF318h 0x0000001a jmp 00007F7374772AABh 0x0000001f popfd 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F7374772AB6h 0x00000027 adc si, DD78h 0x0000002c jmp 00007F7374772AABh 0x00000031 popfd 0x00000032 popad 0x00000033 popad 0x00000034 je 00007F73E6B28B91h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F7374772AB7h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B702C4 second address: 4B702E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B702E1 second address: 4B702E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B702E7 second address: 4B7030D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B7030D second address: 4B70311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70311 second address: 4B70317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70317 second address: 4B7033C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, esi 0x00000005 mov di, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, esi 0x0000000d pushad 0x0000000e push esi 0x0000000f jmp 00007F7374772AB3h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B7033C second address: 4B70365 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 0CCA1741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a je 00007F73E74E1B43h 0x00000010 jmp 00007F737512BAECh 0x00000015 test byte ptr [76FB6968h], 00000002h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70365 second address: 4B70369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70369 second address: 4B70386 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70386 second address: 4B7038B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B7038B second address: 4B703E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, 59h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F73E74E1B08h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F737512BAF1h 0x00000018 or ah, 00000056h 0x0000001b jmp 00007F737512BAF1h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F737512BAF0h 0x00000027 and eax, 1BA2F078h 0x0000002d jmp 00007F737512BAEBh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B703E8 second address: 4B703EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B703EE second address: 4B703F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B703F2 second address: 4B70419 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov di, ax 0x00000011 call 00007F7374772AB4h 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70419 second address: 4B70439 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F737512BAF5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70439 second address: 4B7043F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B7043F second address: 4B70443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70443 second address: 4B70462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B70462 second address: 4B704DC instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 67120F74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F737512BAEDh 0x0000000f adc esi, 0BB84D36h 0x00000015 jmp 00007F737512BAF1h 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e jmp 00007F737512BAECh 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F737512BAF0h 0x0000002a xor cl, FFFFFF88h 0x0000002d jmp 00007F737512BAEBh 0x00000032 popfd 0x00000033 mov eax, 0C89CFFFh 0x00000038 popad 0x00000039 popad 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F737512BAF1h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B704DC second address: 4B704F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe RDTSC instruction interceptor: First address: 4B704F8 second address: 4B704FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Special instruction interceptor: First address: 1D0BD6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Special instruction interceptor: First address: 1D0B05 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Special instruction interceptor: First address: 373A87 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Special instruction interceptor: First address: 1CE10A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Special instruction interceptor: First address: 39CF2B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Special instruction interceptor: First address: 3FCAEB instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 320BD6 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 320B05 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 4C3A87 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 31E10A instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 4ECF2B instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 54CAEB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 570BD6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 570B05 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 713A87 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 56E10A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 73CF2B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 79CAEB instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_04BC0728 rdtsc 0_2_04BC0728
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window / User API: threadDelayed 1247 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window / User API: threadDelayed 1188 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window / User API: threadDelayed 1207 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window / User API: threadDelayed 1009 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Window / User API: threadDelayed 403 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1265 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1266 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1182 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1229 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1302 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1323 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1270 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1217 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1275 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1521 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1502 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1526 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1371 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1499 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7344 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7344 Thread sleep time: -74037s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7340 Thread sleep count: 1247 > 30 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7340 Thread sleep time: -2495247s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7412 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7304 Thread sleep count: 97 > 30 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7320 Thread sleep count: 1188 > 30 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7320 Thread sleep time: -2377188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7328 Thread sleep count: 1207 > 30 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7328 Thread sleep time: -2415207s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7304 Thread sleep count: 205 > 30 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7324 Thread sleep count: 1009 > 30 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7324 Thread sleep time: -2019009s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7304 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7324 Thread sleep count: 293 > 30 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7324 Thread sleep time: -586293s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7320 Thread sleep count: 403 > 30 Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7320 Thread sleep time: -806403s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7612 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7612 Thread sleep time: -84042s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596 Thread sleep count: 1265 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596 Thread sleep time: -2531265s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7556 Thread sleep count: 91 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7556 Thread sleep count: 227 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588 Thread sleep count: 1266 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588 Thread sleep time: -2533266s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7556 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7708 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7708 Thread sleep time: -80040s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7692 Thread sleep count: 1182 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7692 Thread sleep time: -2365182s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564 Thread sleep count: 105 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564 Thread sleep count: 81 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7688 Thread sleep count: 1229 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7688 Thread sleep time: -2459229s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564 Thread sleep count: 215 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7700 Thread sleep count: 1302 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7700 Thread sleep time: -2605302s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7920 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7920 Thread sleep time: -76038s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7904 Thread sleep count: 1323 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7904 Thread sleep time: -2647323s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7992 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7876 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7876 Thread sleep count: 114 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7876 Thread sleep count: 153 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7896 Thread sleep count: 1270 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7896 Thread sleep time: -2541270s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7876 Thread sleep count: 92 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7900 Thread sleep count: 1217 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7900 Thread sleep time: -2435217s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7892 Thread sleep count: 1275 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7892 Thread sleep time: -2551275s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7220 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7220 Thread sleep time: -118059s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7196 Thread sleep count: 58 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7196 Thread sleep time: -116058s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280 Thread sleep count: 70 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280 Thread sleep count: 112 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6440 Thread sleep count: 1521 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6440 Thread sleep time: -3043521s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4080 Thread sleep count: 1502 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4080 Thread sleep time: -3005502s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280 Thread sleep count: 113 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4900 Thread sleep count: 1526 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4900 Thread sleep time: -3053526s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280 Thread sleep count: 82 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4828 Thread sleep count: 1371 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4828 Thread sleep time: -2743371s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2724 Thread sleep count: 1499 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2724 Thread sleep time: -2999499s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280 Thread sleep count: 41 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: 90ZF1EDs9h.exe, 00000000.00000003.1672128094.0000000000B88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}z]
Source: MPGPH131.exe, 00000005.00000003.1694159336.0000000000D45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&0000
Source: RageMP131.exe, 00000009.00000003.1891360029.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B71000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp'
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319200721.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000005.00000002.2965341053.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&%
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319200721.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: MPGPH131.exe, 00000006.00000003.1711821266.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}v
Source: RageMP131.exe, 00000009.00000003.1891360029.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Fc
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D79000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: RageMP131.exe, 00000007.00000003.1811415935.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&db
Source: 90ZF1EDs9h.exe, 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 00000007.00000003.1811415935.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}o
Source: 90ZF1EDs9h.exe, 00000000.00000003.1672128094.0000000000B88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000007.00000002.2965177153.0000000000E60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&;
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_04BC04E4 Start: 04BC055D End: 04BC04A1 0_2_04BC04E4
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_04BC0AEF Start: 04BC0AF6 End: 04BC0B00 0_2_04BC0AEF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_04D102F9 Start: 04D10474 End: 04D102C8 5_2_04D102F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_04C50587 Start: 04C505B6 End: 04C505BC 6_2_04C50587
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 7_2_04F803CB Start: 04F80525 End: 04F80403 7_2_04F803CB
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_04BC0728 rdtsc 0_2_04BC0728
Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: xProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Code function: 0_2_0007361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_0007361D
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: 90ZF1EDs9h.exe PID: 7300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7132, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: 90ZF1EDs9h.exe PID: 7300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7132, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1461305 Sample: 90ZF1EDs9h.exe Startdate: 23/06/2024 Architecture: WINDOWS Score: 100 35 ipinfo.io 2->35 37 db-ip.com 2->37 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected RisePro Stealer 2->49 51 4 other signatures 2->51 8 90ZF1EDs9h.exe 1 9 2->8         started        13 RageMP131.exe 2 2->13         started        15 MPGPH131.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 39 77.91.77.66, 49731, 49732, 49733 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->39 41 ipinfo.io 34.117.186.192, 443, 49734, 49738 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->41 43 db-ip.com 104.26.5.15, 443, 49736, 49740 CLOUDFLARENETUS United States 8->43 27 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->27 dropped 29 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->29 dropped 31 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 8->33 dropped 53 Detected unpacking (changes PE section rights) 8->53 55 Found stalling execution ending in API Sleep call 8->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 8->57 59 Tries to detect virtualization through RDTSC time measurements 8->59 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        61 Multi AV Scanner detection for dropped file 13->61 63 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->63 65 Machine Learning detection for dropped file 13->65 67 Tries to evade debugger and weak emulator (self modifying code) 15->67 69 Hides threads from debuggers 15->69 71 Potentially malicious time measurement code found 15->71 73 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->73 75 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->75 file6 signatures7 process8 process9 23 conhost.exe 19->23         started        25 conhost.exe 21->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
77.91.77.66
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/ false
  • URL Reputation: safe
 unknown
https://ipinfo.io/widget/demo/8.46.123.33 false
  • Avira URL Cloud: safe
 unknown
https://db-ip.com/demo/home.php?s=8.46.123.33 false
  • Avira URL Cloud: safe
 unknown