Windows Analysis Report
installer.exe

Overview

General Information

Sample name: installer.exe
Analysis ID: 1464451
MD5: a0e213177ee87cbb5ec32bef195bbfa9
SHA1: 6265b138b96d83b070ce14cc16e528bdf68aa160
SHA256: 141be7789497012b7911cabb1307e25e19f747e2e8fb5375f9cddff7e5f28265
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 68%
Multi AV Scanner detection for submitted file
Source: installer.exe ReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: installer.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: installer.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.6:49712 -> 77.91.77.66:58709
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49712 -> 77.91.77.66:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.77.66 77.91.77.66
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_00999280 recv,WSASend, 0_2_00999280
Source: installer.exe, 00000000.00000003.2124792716.0000000005300000.00000004.00001000.00020000.00000000.sdmp, installer.exe, 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2190833961.0000000005260000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2191242486.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2258761527.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2342289255.0000000005080000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: RageMP131.exe String found in binary or memory: https://ipinfo.io/
Source: installer.exe, 00000000.00000003.2124792716.0000000005300000.00000004.00001000.00020000.00000000.sdmp, installer.exe, 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2190833961.0000000005260000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2191242486.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2258761527.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2342289255.0000000005080000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: installer.exe, 00000000.00000002.3366357434.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3366350121.000000000160E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3366635395.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3354481282.000000000089E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3354916992.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000008.00000002.3354481282.000000000089E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTS
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

System Summary
barindex
PE file contains section with special chars
Source: installer.exe Static PE information: section name:
Source: installer.exe Static PE information: section name: .idata
Source: installer.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_009C71A0 0_2_009C71A0
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_009CA928 0_2_009CA928
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_009CC960 0_2_009CC960
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_009DDA86 0_2_009DDA86
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_009E8BB0 0_2_009E8BB0
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_009D036F 0_2_009D036F
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_00A7FC40 0_2_00A7FC40
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_009BF580 0_2_009BF580
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_009E2610 0_2_009E2610
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_009E47BF 0_2_009E47BF
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_00A82FD0 0_2_00A82FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0017A928 6_2_0017A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0017C960 6_2_0017C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001771A0 6_2_001771A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0018DA86 6_2_0018DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0018036F 6_2_0018036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00198BB0 6_2_00198BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0022FC40 6_2_0022FC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0016F580 6_2_0016F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001947BF 6_2_001947BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00232FD0 6_2_00232FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0017A928 7_2_0017A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0017C960 7_2_0017C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_001771A0 7_2_001771A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0018DA86 7_2_0018DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0018036F 7_2_0018036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00198BB0 7_2_00198BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0022FC40 7_2_0022FC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0016F580 7_2_0016F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_001947BF 7_2_001947BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00232FD0 7_2_00232FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F871A0 8_2_00F871A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F8C960 8_2_00F8C960
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F8A928 8_2_00F8A928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F9DA86 8_2_00F9DA86
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00FA8BB0 8_2_00FA8BB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F9036F 8_2_00F9036F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0103FC40 8_2_0103FC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F7F580 8_2_00F7F580
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_01042FD0 8_2_01042FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00FA2610 8_2_00FA2610
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00FA47BF 8_2_00FA47BF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F871A0 12_2_00F871A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F8C960 12_2_00F8C960
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F8A928 12_2_00F8A928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F9DA86 12_2_00F9DA86
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00FA8BB0 12_2_00FA8BB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F9036F 12_2_00F9036F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_0103FC40 12_2_0103FC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F7F580 12_2_00F7F580
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_01042FD0 12_2_01042FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00FA2610 12_2_00FA2610
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00FA47BF 12_2_00FA47BF
Found potential string decryption / allocating functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00174380 appears 48 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 00F84380 appears 48 times
Sample file is different than original file name gathered from version info
Source: installer.exe, 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedotnet.exe6 vs installer.exe
Source: installer.exe Binary or memory string: OriginalFilenamedotnet.exe6 vs installer.exe
Uses 32bit PE files
Source: installer.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: installer.exe Static PE information: Section: ZLIB complexity 0.9983676437043796
Source: installer.exe Static PE information: Section: iolmakfn ZLIB complexity 0.9944186223712282
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9983676437043796
Source: RageMP131.exe.0.dr Static PE information: Section: iolmakfn ZLIB complexity 0.9944186223712282
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9983676437043796
Source: MPGPH131.exe.0.dr Static PE information: Section: iolmakfn ZLIB complexity 0.9944186223712282
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@0/1
Source: C:\Users\user\Desktop\installer.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1664:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4156:120:WilError_03
Source: C:\Users\user\Desktop\installer.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: installer.exe, 00000000.00000003.2124792716.0000000005300000.00000004.00001000.00020000.00000000.sdmp, installer.exe, 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2190833961.0000000005260000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2191242486.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2258761527.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2342289255.0000000005080000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: installer.exe, 00000000.00000003.2124792716.0000000005300000.00000004.00001000.00020000.00000000.sdmp, installer.exe, 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2190833961.0000000005260000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2191242486.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2258761527.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2342289255.0000000005080000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: installer.exe ReversingLabs: Detection: 68%
Source: installer.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: installer.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\installer.exe File read: C:\Users\user\Desktop\installer.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\installer.exe "C:\Users\user\Desktop\installer.exe"
Source: C:\Users\user\Desktop\installer.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\installer.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\installer.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: installer.exe Static file information: File size 2402816 > 1048576
Source: installer.exe Static PE information: Raw size of iolmakfn is bigger than: 0x100000 < 0x19a200

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\installer.exe Unpacked PE file: 0.2.installer.exe.990000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.140000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.140000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.f50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 12.2.RageMP131.exe.f50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x2578f2 should be: 0x25a30a
Source: installer.exe Static PE information: real checksum: 0x2578f2 should be: 0x25a30a
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x2578f2 should be: 0x25a30a
PE file contains sections with non-standard names
Source: installer.exe Static PE information: section name:
Source: installer.exe Static PE information: section name: .idata
Source: installer.exe Static PE information: section name:
Source: installer.exe Static PE information: section name: iolmakfn
Source: installer.exe Static PE information: section name: rrgdmorv
Source: installer.exe Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: iolmakfn
Source: RageMP131.exe.0.dr Static PE information: section name: rrgdmorv
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: iolmakfn
Source: MPGPH131.exe.0.dr Static PE information: section name: rrgdmorv
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_009C3F59 push ecx; ret 0_2_009C3F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00173F59 push ecx; ret 6_2_00173F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00173F59 push ecx; ret 7_2_00173F6C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F83F59 push ecx; ret 8_2_00F83F6C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F83F59 push ecx; ret 12_2_00F83F6C
Source: installer.exe Static PE information: section name: entropy: 7.983217514944371
Source: installer.exe Static PE information: section name: iolmakfn entropy: 7.952587985100504
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.983217514944371
Source: RageMP131.exe.0.dr Static PE information: section name: iolmakfn entropy: 7.952587985100504
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.983217514944371
Source: MPGPH131.exe.0.dr Static PE information: section name: iolmakfn entropy: 7.952587985100504
Drops PE files
Source: C:\Users\user\Desktop\installer.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\installer.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\installer.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\installer.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\installer.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\installer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\installer.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\installer.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\installer.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C8A71F second address: C8A729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C979C5 second address: C979DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD228B1E7D1h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C979DD second address: C979E5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C979E5 second address: C979EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD228B1E7C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C97B78 second address: C97B7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C97B7D second address: C97B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD228B1E7C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C97E3E second address: C97E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jg 00007FD22947DF7Eh 0x0000000d push esi 0x0000000e pop esi 0x0000000f jl 00007FD22947DF76h 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C97E58 second address: C97E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C97E5D second address: C97E73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Bh 0x00000007 pushad 0x00000008 ja 00007FD22947DF76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C97FA0 second address: C97FBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FD228B1E7D5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C98290 second address: C982B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007FD22947DF7Ah 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD22947DF80h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C982B3 second address: C982B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C9A36A second address: C9A36F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C9A45E second address: C9A464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C9A464 second address: C9A4E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d xor dword ptr [ebp+122D18D3h], edx 0x00000013 movzx esi, di 0x00000016 push CE59CEDCh 0x0000001b push esi 0x0000001c jmp 00007FD22947DF81h 0x00000021 pop esi 0x00000022 add dword ptr [esp], 31A631A4h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007FD22947DF78h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 00000017h 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 pushad 0x00000044 xor dx, 3CF9h 0x00000049 sub dword ptr [ebp+122D1CF1h], esi 0x0000004f popad 0x00000050 push 00000003h 0x00000052 or ch, FFFFFFCBh 0x00000055 sub dword ptr [ebp+122D1D1Eh], edx 0x0000005b push 00000000h 0x0000005d mov ecx, ebx 0x0000005f push 00000003h 0x00000061 mov dword ptr [ebp+122D1F33h], ecx 0x00000067 push 7A4FCE02h 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f pushad 0x00000070 popad 0x00000071 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C9A4E6 second address: C9A4EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C9A4EA second address: C9A4F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C9A4F4 second address: C9A4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C9A708 second address: C9A71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 jbe 00007FD22947DF82h 0x0000000d jns 00007FD22947DF7Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CABBF5 second address: CABBFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CABBFB second address: CABC19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jl 00007FD22947DF76h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CABC19 second address: CABC1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C88CBB second address: C88CE7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FD22947DF82h 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jno 00007FD22947DF7Eh 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB8353 second address: CB8369 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB8369 second address: CB837D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD22947DF7Bh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB837D second address: CB8385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB8385 second address: CB8395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 js 00007FD22947DF76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB8395 second address: CB83A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FD228B1E7C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB83A5 second address: CB83CB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FD22947DF7Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FD22947DF81h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB83CB second address: CB83F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD228B1E7CCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB83F1 second address: CB83F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB867D second address: CB86A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD228B1E7D9h 0x00000010 jnc 00007FD228B1E7C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB86A7 second address: CB86B1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD22947DF76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB884D second address: CB8858 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007FD228B1E7C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB8858 second address: CB8865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB8865 second address: CB8874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FD228B1E7C6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB8A00 second address: CB8A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB9328 second address: CB932E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB932E second address: CB9337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CADF00 second address: CADF1B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD228B1E7C6h 0x00000008 jmp 00007FD228B1E7D1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB94A8 second address: CB94DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 jmp 00007FD22947DF7Dh 0x0000000c jp 00007FD22947DF7Eh 0x00000012 popad 0x00000013 push edx 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jo 00007FD22947DF76h 0x0000001d pop edx 0x0000001e jo 00007FD22947DF89h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB9C11 second address: CB9C1B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD228B1E7C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB9D6F second address: CB9D8F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jg 00007FD22947DF76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push ecx 0x0000000f jnc 00007FD22947DF76h 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a jng 00007FD22947DF76h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB9D8F second address: CB9D9A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB9D9A second address: CB9DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB9EDA second address: CB9EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CB9EDE second address: CB9EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD22947DF76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CBD1AE second address: CBD1B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FD228B1E7C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CBD1B8 second address: CBD1C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CBD1C6 second address: CBD1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CBD333 second address: CBD33D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CBD33D second address: CBD343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CBD343 second address: CBD399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jp 00007FD22947DF86h 0x00000011 jg 00007FD22947DF78h 0x00000017 push edx 0x00000018 pop edx 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c jp 00007FD22947DF90h 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 pushad 0x0000002a popad 0x0000002b pop esi 0x0000002c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CBD399 second address: CBD3A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FD228B1E7C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CBD3A3 second address: CBD3A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC0FC0 second address: CC0FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC0FC6 second address: CC0FD4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD22947DF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC0FD4 second address: CC0FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC0FDA second address: CC0FFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD22947DF84h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jns 00007FD22947DF76h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC0FFE second address: CC1002 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C8F712 second address: C8F717 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC520E second address: CC5212 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC5212 second address: CC5218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC5218 second address: CC5249 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD228B1E7DDh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD228B1E7D0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC469B second address: CC46B1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD22947DF7Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC4814 second address: CC4822 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FD228B1E7CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC4822 second address: CC4826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC4826 second address: CC4836 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD228B1E7CAh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC4ACE second address: CC4AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC4F17 second address: CC4F1D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC4F1D second address: CC4F37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FD22947DF76h 0x00000009 jnl 00007FD22947DF76h 0x0000000f jg 00007FD22947DF76h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC7F03 second address: CC7F22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7D9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC7F22 second address: CC7F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC87CF second address: CC87D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC8B2E second address: CC8B33 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC8C31 second address: CC8C56 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007FD228B1E7C6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FD228B1E7D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC92B6 second address: CC92D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD22947DF80h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC92D1 second address: CC92D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC92D7 second address: CC92DC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC92DC second address: CC9308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 xor di, 6E00h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007FD228B1E7DCh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC93BC second address: CC93D7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD22947DF7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FD22947DF76h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC93D7 second address: CC93E1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD228B1E7C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC970D second address: CC9721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FD22947DF76h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC9F49 second address: CC9F4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC9F4D second address: CC9F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC9F56 second address: CC9FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 or di, B100h 0x0000000e push 00000000h 0x00000010 jmp 00007FD228B1E7D9h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 movzx esi, bx 0x0000001b pop edi 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e jmp 00007FD228B1E7D4h 0x00000023 jmp 00007FD228B1E7D0h 0x00000028 popad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FD228B1E7D6h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CC9FC6 second address: CC9FCB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CCB929 second address: CCB92D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CCB92D second address: CCB971 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007FD22947DF83h 0x0000000f jmp 00007FD22947DF84h 0x00000014 pop ebx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CCE4D3 second address: CCE4F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CCE2D0 second address: CCE2DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CD0EF9 second address: CD0EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CD3A29 second address: CD3A33 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD22947DF7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CD8EBE second address: CD8EC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDAEBD second address: CDAEC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CD805F second address: CD8072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7CFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CD7039 second address: CD703F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDBD35 second address: CDBD7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+124487C1h], edi 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 movsx edi, di 0x00000015 pop ebx 0x00000016 mov edi, 136CC90Eh 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007FD228B1E7C8h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 xchg eax, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDBD7A second address: CDBD84 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD22947DF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDBD84 second address: CDBD9F instructions: 0x00000000 rdtsc 0x00000002 js 00007FD228B1E7C8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD228B1E7CCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDC019 second address: CDC01E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDC01E second address: CDC03A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7D8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDC03A second address: CDC04F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jng 00007FD22947DF78h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDEB90 second address: CDEC04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FD228B1E7C6h 0x00000009 jmp 00007FD228B1E7D6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FD228B1E7C8h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c mov bl, 1Ah 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FD228B1E7C8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a movsx edi, bx 0x0000004d push 00000000h 0x0000004f mov bx, ax 0x00000052 xchg eax, esi 0x00000053 pushad 0x00000054 push edi 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDEC04 second address: CDEC0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDEC0C second address: CDEC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDEC12 second address: CDEC23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FD22947DF78h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDFB6E second address: CDFB72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CE19F4 second address: CE19FA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDDDCE second address: CDDDE5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD228B1E7CEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CE19FA second address: CE1A11 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD22947DF7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDFD2B second address: CDFD43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CE1A11 second address: CE1A1B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD22947DF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDDDE5 second address: CDDE4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov di, dx 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov ebx, dword ptr [ebp+122D1D37h] 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 xor bl, 00000036h 0x00000024 mov eax, dword ptr [ebp+122D01E1h] 0x0000002a mov ebx, 60C60267h 0x0000002f push FFFFFFFFh 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007FD228B1E7C8h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b or edi, dword ptr [ebp+122D2900h] 0x00000051 sub dword ptr [ebp+1247105Dh], ebx 0x00000057 nop 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b push ebx 0x0000005c pop ebx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDFD43 second address: CDFDDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b push edi 0x0000000c pop ebx 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FD22947DF78h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e movzx edi, ax 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007FD22947DF78h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 call 00007FD22947DF82h 0x00000057 pop edi 0x00000058 mov eax, dword ptr [ebp+122D1041h] 0x0000005e sbb ebx, 1A944DFDh 0x00000064 push FFFFFFFFh 0x00000066 mov dword ptr [ebp+122D230Ch], edx 0x0000006c push eax 0x0000006d pushad 0x0000006e push edx 0x0000006f push ebx 0x00000070 pop ebx 0x00000071 pop edx 0x00000072 push eax 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDDE4C second address: CDDE50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDFDDE second address: CDFDE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDDE50 second address: CDDE5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FD228B1E7C6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDDE5E second address: CDDE6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CDDE6B second address: CDDE6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CE1C15 second address: CE1C26 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD22947DF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CE38C5 second address: CE38DD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD228B1E7D0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CE3B79 second address: CE3B8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CE3B8A second address: CE3B94 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD228B1E7CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CECB78 second address: CECB7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CECB7C second address: CECB9D instructions: 0x00000000 rdtsc 0x00000002 je 00007FD228B1E7C6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FD228B1E7D2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CEC32F second address: CEC350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FD22947DF85h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CEC600 second address: CEC60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jbe 00007FD228B1E7C6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CEC73A second address: CEC74B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 jnp 00007FD22947DF7Eh 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CEC74B second address: CEC74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CEC74F second address: CEC757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CEC757 second address: CEC75B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CEC75B second address: CEC761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CF57F5 second address: CF57F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CF5969 second address: CF59A1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD22947DF89h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FD22947DF81h 0x0000000f jmp 00007FD22947DF85h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CF59A1 second address: CF59C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FD228B1E7D8h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CF59C8 second address: CF59CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CF5C63 second address: CF5C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CF5DBF second address: CF5DC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CFA378 second address: CFA37D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CFA37D second address: CFA389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD22947DF76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CFA389 second address: CFA3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FD228B1E7CCh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD228B1E7D2h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CFA3B0 second address: CFA3B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CFA3B8 second address: CFA3C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C8C14D second address: C8C153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C8C153 second address: C8C15E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C8C15E second address: C8C184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FD22947DF8Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD22947DF7Ah 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CFE8D6 second address: CFE8F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD228B1E7D4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CFE8F2 second address: CFE908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD22947DF81h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CFE908 second address: CFE927 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD228B1E7D9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CFE927 second address: CFE92B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CFE92B second address: CFE952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnc 00007FD228B1E7C6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 jmp 00007FD228B1E7CFh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CFF28D second address: CFF291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: C92BFD second address: C92C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D024A7 second address: D024C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FD22947DF83h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D0664D second address: D0667E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D4h 0x00000007 jmp 00007FD228B1E7D1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D0667E second address: D06686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D06C1D second address: D06C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D06C21 second address: D06C2E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD22947DF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D06C2E second address: D06C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D06C37 second address: D06C57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD22947DF7Ah 0x00000008 jmp 00007FD22947DF7Fh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D07012 second address: D07016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D07016 second address: D07031 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D072BC second address: D072C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D072C2 second address: D072C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D07A6D second address: D07A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D07A73 second address: D07A77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D06365 second address: D06379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FD228B1E7C6h 0x0000000a jmp 00007FD228B1E7CAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D06379 second address: D0637F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CD1F29 second address: CD1F64 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jl 00007FD228B1E7CEh 0x0000000e jl 00007FD228B1E7C8h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 xchg eax, esi 0x00000017 adc cx, 7329h 0x0000001c mov cx, 2D94h 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FD228B1E7D8h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CD2613 second address: CD2621 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CD2621 second address: CD2625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CD2625 second address: CD262B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CD29BE second address: CD29C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: CD29C2 second address: CD2A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD22947DF7Bh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FD22947DF86h 0x00000013 push edx 0x00000014 jg 00007FD22947DF76h 0x0000001a pop edx 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 jmp 00007FD22947DF84h 0x00000025 mov eax, dword ptr [eax] 0x00000027 jl 00007FD22947DF84h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D0B65B second address: D0B65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D0B65F second address: D0B69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD22947DF7Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD22947DF7Ch 0x00000014 jmp 00007FD22947DF88h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D0B9BA second address: D0B9DD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD228B1E7C6h 0x00000008 jmp 00007FD228B1E7D5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D0BF11 second address: D0BF2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D0BF2A second address: D0BF30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D0BF30 second address: D0BF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D0C082 second address: D0C0A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FD228B1E7CEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D0C0A7 second address: D0C0BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D0C0BC second address: D0C0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D0FF92 second address: D0FF96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D0FF96 second address: D0FF9C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D11E0D second address: D11E1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D1503E second address: D15042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D15042 second address: D1504B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D1504B second address: D1506E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD228B1E7CDh 0x00000009 popad 0x0000000a popad 0x0000000b js 00007FD228B1E7DCh 0x00000011 push edi 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D14D57 second address: D14D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007FD22947DF84h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD22947DF7Eh 0x0000001d jnc 00007FD22947DF76h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D1A907 second address: D1A923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007FD228B1E7D6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D1A923 second address: D1A93B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D1A93B second address: D1A93F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D1DFA7 second address: D1DFAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D1DFAD second address: D1DFB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D1DFB1 second address: D1DFBB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD22947DF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D1DFBB second address: D1DFCB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD228B1E7D2h 0x00000008 jne 00007FD228B1E7C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D2259D second address: D225AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD22947DF76h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D225AC second address: D225B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D225B0 second address: D225B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D225B4 second address: D225BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D2271E second address: D22740 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FD22947DF82h 0x0000000f jng 00007FD22947DF76h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D228DF second address: D228EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D234AA second address: D234BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FD22947DF76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D234BC second address: D234C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D234C0 second address: D234D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D29539 second address: D2953D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D2953D second address: D29541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D29541 second address: D29560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD228B1E7C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FD228B1E7CCh 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D29560 second address: D29566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D296C7 second address: D296CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D296CB second address: D296DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D2984F second address: D29855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D2A355 second address: D2A35A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D2A6B6 second address: D2A6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD228B1E7C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jc 00007FD228B1E7C6h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D2AC4B second address: D2AC56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D2AC56 second address: D2AC60 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD228B1E7C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D2AC60 second address: D2AC65 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D30776 second address: D30782 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD228B1E7C6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D34448 second address: D3444C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D3444C second address: D34452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D34452 second address: D34465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FD22947DF76h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D34465 second address: D3446A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D3446A second address: D3446F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D338CF second address: D338EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jp 00007FD228B1E7D6h 0x0000000f jc 00007FD228B1E7C6h 0x00000015 jmp 00007FD228B1E7CAh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D33BC7 second address: D33BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD22947DF90h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D33BEB second address: D33BF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D33BF2 second address: D33C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D33C06 second address: D33C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD228B1E7CDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D39EB8 second address: D39EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD22947DF76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D39EC2 second address: D39ED6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FD228B1E7CEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D39ED6 second address: D39EDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D3A503 second address: D3A516 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D3AC4A second address: D3AC6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD22947DF7Fh 0x00000009 jnc 00007FD22947DF78h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D3AC6A second address: D3AC70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D4F35A second address: D4F362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D4F362 second address: D4F36B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D4F36B second address: D4F36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D4F36F second address: D4F3C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD228B1E7D7h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jmp 00007FD228B1E7D4h 0x00000018 push esi 0x00000019 push eax 0x0000001a pop eax 0x0000001b jmp 00007FD228B1E7D2h 0x00000020 pop esi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D4F3C2 second address: D4F3C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D4F1DF second address: D4F225 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD228B1E7DDh 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b js 00007FD228B1E7C6h 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jmp 00007FD228B1E7D3h 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push esi 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D4F225 second address: D4F22F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D4F22F second address: D4F243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FD228B1E7CBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D51771 second address: D51779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D51779 second address: D5177F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D5177F second address: D51784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D51784 second address: D517A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnc 00007FD228B1E7C6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push ebx 0x0000000e ja 00007FD228B1E7C6h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FD228B1E7C6h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D517A3 second address: D517AD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD22947DF76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D55459 second address: D5545F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D5545F second address: D55467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D55467 second address: D55483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD228B1E7C6h 0x0000000a jmp 00007FD228B1E7D0h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D555E2 second address: D5561D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD22947DF83h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007FD22947DF7Eh 0x00000011 pop eax 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD22947DF7Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D5561D second address: D55621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D55621 second address: D55625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D55625 second address: D5562E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D5562E second address: D55636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D59F92 second address: D59F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D59F96 second address: D59F9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D59F9A second address: D59FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD228B1E7C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FD228B1E7C6h 0x00000014 jmp 00007FD228B1E7D9h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D59FC7 second address: D59FD3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jo 00007FD22947DF76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D60525 second address: D6052B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D6052B second address: D6052F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D6052F second address: D6053F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FD228B1E7C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D6034D second address: D60353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D60353 second address: D60384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD228B1E7CBh 0x0000000a jne 00007FD228B1E7D2h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007FD228B1E7C8h 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D60384 second address: D60399 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D60399 second address: D603A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD228B1E7C6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D63BCB second address: D63BD7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD22947DF76h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D63BD7 second address: D63BF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D5h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D63BF4 second address: D63C47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF80h 0x00000007 jmp 00007FD22947DF84h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jns 00007FD22947DF87h 0x00000017 jmp 00007FD22947DF81h 0x0000001c push edi 0x0000001d pushad 0x0000001e popad 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD22947DF7Bh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D6B1B0 second address: D6B1BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D69B73 second address: D69B7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D6A03C second address: D6A042 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D6A45E second address: D6A464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D6A464 second address: D6A487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD228B1E7D3h 0x00000008 jmp 00007FD228B1E7CBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D6AEB8 second address: D6AEDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FD22947DF82h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D83F52 second address: D83F56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D86333 second address: D8634D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD22947DF81h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D8634D second address: D86353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D81BE5 second address: D81BE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D81BE9 second address: D81BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FD228B1E7C8h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D81BFE second address: D81C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D81C02 second address: D81C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D81C08 second address: D81C0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D94FA1 second address: D94FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D94FA7 second address: D94FBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FD22947DF7Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D94FBA second address: D94FCC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D94FCC second address: D94FD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D94FD0 second address: D94FD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D94FD4 second address: D94FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD22947DF83h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D94A9D second address: D94ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jc 00007FD228B1E7D8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D94ABA second address: D94AF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FD22947DF76h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD22947DF7Dh 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD22947DF86h 0x0000001b jo 00007FD22947DF76h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D94AF4 second address: D94B12 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD228B1E7C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jg 00007FD228B1E7C6h 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 jc 00007FD228B1E7C6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D94B12 second address: D94B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: D94B16 second address: D94B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FD228B1E7CEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DBFAF9 second address: DBFAFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DBFAFD second address: DBFB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD228B1E7CDh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DBEC8E second address: DBEC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DBEC92 second address: DBEC96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DBEDE0 second address: DBEDE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DBF4E5 second address: DBF4F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FD228B1E7C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DBF4F5 second address: DBF50F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF86h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC27DF second address: DC27E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC27E3 second address: DC27E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC27E7 second address: DC27ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC27ED second address: DC281E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007FD22947DF93h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD22947DF85h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC2A7E second address: DC2AC2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub dx, 7F58h 0x00000010 push dword ptr [ebp+1244DFE4h] 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007FD228B1E7C8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 call 00007FD228B1E7C9h 0x00000035 push eax 0x00000036 push edx 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC2AC2 second address: DC2AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC2AC7 second address: DC2ACE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC2ACE second address: DC2AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FD22947DF7Ch 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007FD22947DF76h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC2AEF second address: DC2B14 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD228B1E7C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FD228B1E7C8h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 pushad 0x00000017 jg 00007FD228B1E7C6h 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC3D78 second address: DC3D92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC3D92 second address: DC3D99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC3D99 second address: DC3DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD22947DF80h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC3DB2 second address: DC3DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC3DB6 second address: DC3DCA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push ecx 0x0000000a ja 00007FD22947DF76h 0x00000010 pop ecx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC563E second address: DC5644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC5644 second address: DC5649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC5649 second address: DC566F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD228B1E7D2h 0x00000008 jne 00007FD228B1E7C6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC566F second address: DC5673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC5673 second address: DC568A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007FD228B1E7CAh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC568A second address: DC56A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD22947DF81h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC7615 second address: DC761B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC761B second address: DC7621 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC7621 second address: DC7632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007FD228B1E7C6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC7632 second address: DC763D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: DC763D second address: DC7648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD228B1E7C6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55008F9 second address: 5500916 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5500916 second address: 5500938 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 005D5C02h 0x00000008 mov dx, 364Eh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD228B1E7D0h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D006C second address: 54D0070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D0070 second address: 54D0074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D0074 second address: 54D007A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5540165 second address: 554016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 554016C second address: 554017B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 554017B second address: 55401DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FD228B1E7CEh 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007FD228B1E7D1h 0x00000018 mov di, cx 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d jmp 00007FD228B1E7CAh 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FD228B1E7CAh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55401DB second address: 55401E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54C0C6E second address: 54C0C74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54C0C74 second address: 54C0CF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FD22947DF88h 0x0000000b and ch, FFFFFFA8h 0x0000000e jmp 00007FD22947DF7Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov ax, 1EBBh 0x0000001d pushfd 0x0000001e jmp 00007FD22947DF80h 0x00000023 and ch, 00000008h 0x00000026 jmp 00007FD22947DF7Bh 0x0000002b popfd 0x0000002c popad 0x0000002d push eax 0x0000002e jmp 00007FD22947DF89h 0x00000033 xchg eax, ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FD22947DF7Dh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54C0CF5 second address: 54C0D22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FD228B1E7CEh 0x00000010 push dword ptr [ebp+04h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54C0D22 second address: 54C0D68 instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007FD22947DF84h 0x0000000d sbb esi, 08308958h 0x00000013 jmp 00007FD22947DF7Bh 0x00000018 popfd 0x00000019 popad 0x0000001a push dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FD22947DF80h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54C0D68 second address: 54C0D6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54C0D6C second address: 54C0D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54C0DE3 second address: 54C0DE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54C0DE7 second address: 54C0DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530DA0 second address: 5530DC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 5A41BA53h 0x00000010 push eax 0x00000011 push edx 0x00000012 mov esi, 6AB38C45h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530DC3 second address: 5530DE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 mov edx, 52A23CC0h 0x0000000e movsx ebx, si 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 pushad 0x00000014 movzx esi, bx 0x00000017 mov bh, B5h 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov dx, 3752h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530DE8 second address: 5530DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510B7A second address: 5510B97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF89h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510B97 second address: 5510BBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD228B1E7CDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5540D84 second address: 5540E51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007FD22947DF7Eh 0x00000010 push esi 0x00000011 pop ebx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007FD22947DF87h 0x00000019 sub al, FFFFFFDEh 0x0000001c jmp 00007FD22947DF89h 0x00000021 popfd 0x00000022 popad 0x00000023 push eax 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FD22947DF87h 0x0000002b and si, 64EEh 0x00000030 jmp 00007FD22947DF89h 0x00000035 popfd 0x00000036 pushfd 0x00000037 jmp 00007FD22947DF80h 0x0000003c add ax, 4C68h 0x00000041 jmp 00007FD22947DF7Bh 0x00000046 popfd 0x00000047 popad 0x00000048 xchg eax, ebp 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FD22947DF85h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D05FA second address: 54D0600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D0600 second address: 54D0604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D0604 second address: 54D0696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FD228B1E7CAh 0x00000010 sub cl, 00000048h 0x00000013 jmp 00007FD228B1E7CBh 0x00000018 popfd 0x00000019 mov si, D5BFh 0x0000001d popad 0x0000001e mov dword ptr [esp], ebp 0x00000021 pushad 0x00000022 mov ah, BDh 0x00000024 pushfd 0x00000025 jmp 00007FD228B1E7CDh 0x0000002a xor esi, 07667F66h 0x00000030 jmp 00007FD228B1E7D1h 0x00000035 popfd 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FD228B1E7CCh 0x00000040 xor ch, 00000008h 0x00000043 jmp 00007FD228B1E7CBh 0x00000048 popfd 0x00000049 popad 0x0000004a pop ebp 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FD228B1E7D7h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D0696 second address: 54D06B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530E24 second address: 5530E80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 pushfd 0x00000007 jmp 00007FD228B1E7D0h 0x0000000c and cl, FFFFFFF8h 0x0000000f jmp 00007FD228B1E7CBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a mov eax, 3B33C04Bh 0x0000001f pushfd 0x00000020 jmp 00007FD228B1E7D0h 0x00000025 or si, 2D58h 0x0000002a jmp 00007FD228B1E7CBh 0x0000002f popfd 0x00000030 popad 0x00000031 push eax 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 mov edi, 653D9C88h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530E80 second address: 5530F23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, ecx 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e movzx ecx, bx 0x00000011 pushfd 0x00000012 jmp 00007FD22947DF85h 0x00000017 xor eax, 0A87D256h 0x0000001d jmp 00007FD22947DF81h 0x00000022 popfd 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 movzx ecx, dx 0x0000002a push edx 0x0000002b pushfd 0x0000002c jmp 00007FD22947DF84h 0x00000031 xor ax, D3A8h 0x00000036 jmp 00007FD22947DF7Bh 0x0000003b popfd 0x0000003c pop esi 0x0000003d popad 0x0000003e pop ebp 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 pushfd 0x00000043 jmp 00007FD22947DF80h 0x00000048 xor eax, 42F34608h 0x0000004e jmp 00007FD22947DF7Bh 0x00000053 popfd 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5540521 second address: 554052A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, 1DFCh 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 554052A second address: 5540551 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD22947DF7Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5540551 second address: 5540557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5540557 second address: 554055B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 554055B second address: 554055F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 554055F second address: 5540577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD22947DF7Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5540577 second address: 554057D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 554057D second address: 55405C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 7E0CB1C1h 0x00000008 pushfd 0x00000009 jmp 00007FD22947DF7Eh 0x0000000e and cx, 55D8h 0x00000013 jmp 00007FD22947DF7Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD22947DF85h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55405C1 second address: 55405F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007FD228B1E7CEh 0x00000011 and dword ptr [eax], 00000000h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov dx, 24B0h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55405F3 second address: 55405F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55405F8 second address: 5540621 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD228B1E7D2h 0x00000009 sbb ax, 44F8h 0x0000000e jmp 00007FD228B1E7CBh 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5540621 second address: 5540639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 and dword ptr [eax+04h], 00000000h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD22947DF7Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510A43 second address: 5510A49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510A49 second address: 5510A5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510A5A second address: 5510A7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD228B1E7D9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510A7E second address: 5510ABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, E6h 0x00000005 pushfd 0x00000006 jmp 00007FD22947DF88h 0x0000000b sbb ecx, 711ECFD8h 0x00000011 jmp 00007FD22947DF7Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esp], ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov cx, di 0x00000023 mov si, bx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54F0825 second address: 54F082B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54F082B second address: 54F083C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54F083C second address: 54F084B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54F084B second address: 54F084F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54F084F second address: 54F0855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54F0855 second address: 54F086F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD22947DF7Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54F086F second address: 54F0894 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54F0894 second address: 54F0898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54F0898 second address: 54F089C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54F089C second address: 54F08A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5550B3B second address: 5550B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xchg eax, ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FD228B1E7D6h 0x0000000f call 00007FD228B1E7D2h 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510008 second address: 551000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 551000C second address: 5510010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510010 second address: 5510016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510016 second address: 551001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 551001C second address: 5510020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55100FE second address: 5510104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510104 second address: 5510108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510108 second address: 551012A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007FD228B1E7D0h 0x0000000e mov dword ptr [esp], ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 551012A second address: 551012E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 551012E second address: 5510134 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510134 second address: 5510143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510143 second address: 551019C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e mov si, bx 0x00000011 pop edi 0x00000012 mov di, si 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 movsx edx, si 0x0000001b movzx ecx, dx 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 mov ax, di 0x00000024 popad 0x00000025 mov ebx, dword ptr [ebp+10h] 0x00000028 pushad 0x00000029 mov eax, edx 0x0000002b mov bh, 14h 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FD228B1E7D2h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 551019C second address: 55101A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55101A0 second address: 55101A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55101A6 second address: 55101AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55101AC second address: 55101F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d call 00007FD228B1E7D1h 0x00000012 mov edi, ecx 0x00000014 pop esi 0x00000015 mov eax, edx 0x00000017 popad 0x00000018 xchg eax, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FD228B1E7D2h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55101F8 second address: 551020A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 551020A second address: 5510262 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 call 00007FD228B1E7D0h 0x00000017 pop ecx 0x00000018 popad 0x00000019 call 00007FD228B1E7CBh 0x0000001e push esi 0x0000001f pop edi 0x00000020 pop ecx 0x00000021 popad 0x00000022 push ebx 0x00000023 pushad 0x00000024 call 00007FD228B1E7CEh 0x00000029 mov edi, ecx 0x0000002b pop eax 0x0000002c mov esi, ebx 0x0000002e popad 0x0000002f mov dword ptr [esp], edi 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510262 second address: 5510274 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510274 second address: 5510286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510286 second address: 551028A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 551028A second address: 55102B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD228B1E7D9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55102B1 second address: 55102B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55102B7 second address: 55102EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD29A9BCB14h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ebx, 4839FBA0h 0x00000017 jmp 00007FD228B1E7D9h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55102EF second address: 551031C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD22947DF87h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000014 pushad 0x00000015 movzx ecx, bx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 551031C second address: 5510322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510322 second address: 5510357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 je 00007FD29B31C279h 0x0000000c jmp 00007FD22947DF7Fh 0x00000011 mov edx, dword ptr [esi+44h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD22947DF85h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510357 second address: 5510367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510367 second address: 55103DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or edx, dword ptr [ebp+0Ch] 0x0000000b jmp 00007FD22947DF87h 0x00000010 test edx, 61000000h 0x00000016 pushad 0x00000017 mov bx, ax 0x0000001a mov si, EC67h 0x0000001e popad 0x0000001f jne 00007FD29B31C266h 0x00000025 jmp 00007FD22947DF7Ah 0x0000002a test byte ptr [esi+48h], 00000001h 0x0000002e jmp 00007FD22947DF80h 0x00000033 jne 00007FD29B31C25Bh 0x00000039 jmp 00007FD22947DF80h 0x0000003e test bl, 00000007h 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55103DA second address: 55103F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FD228B1E7D3h 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55300F8 second address: 55300FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55300FC second address: 553010C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 553010C second address: 553014F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007FD22947DF7Dh 0x0000000b xor cx, E7F6h 0x00000010 jmp 00007FD22947DF81h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007FD22947DF7Eh 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 553014F second address: 5530153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530153 second address: 5530157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530157 second address: 553015D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 553015D second address: 55301AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD22947DF86h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov si, dx 0x00000017 call 00007FD22947DF89h 0x0000001c pop eax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55301AA second address: 5530229 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d movzx esi, di 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FD228B1E7D9h 0x00000017 adc cx, 3ED6h 0x0000001c jmp 00007FD228B1E7D1h 0x00000021 popfd 0x00000022 jmp 00007FD228B1E7D0h 0x00000027 popad 0x00000028 popad 0x00000029 xchg eax, ebx 0x0000002a jmp 00007FD228B1E7D0h 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FD228B1E7CEh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530229 second address: 553023F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 2904h 0x00000007 mov ch, bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop eax 0x00000012 mov si, di 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 553023F second address: 55302AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 941Bh 0x00000007 pushfd 0x00000008 jmp 00007FD228B1E7D0h 0x0000000d add esi, 0A3FC0E8h 0x00000013 jmp 00007FD228B1E7CBh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, esi 0x0000001d pushad 0x0000001e movzx eax, di 0x00000021 push eax 0x00000022 push edx 0x00000023 pushfd 0x00000024 jmp 00007FD228B1E7D7h 0x00000029 sbb eax, 12B4F8DEh 0x0000002f jmp 00007FD228B1E7D9h 0x00000034 popfd 0x00000035 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55302AB second address: 553031D instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FD22947DF83h 0x0000000f sub al, FFFFFFEEh 0x00000012 jmp 00007FD22947DF89h 0x00000017 popfd 0x00000018 mov cx, 0E77h 0x0000001c popad 0x0000001d xchg eax, esi 0x0000001e pushad 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FD22947DF86h 0x00000026 or eax, 60F2FD98h 0x0000002c jmp 00007FD22947DF7Bh 0x00000031 popfd 0x00000032 mov ax, 374Fh 0x00000036 popad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 553031D second address: 553032E instructions: 0x00000000 rdtsc 0x00000002 mov ax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 553032E second address: 5530334 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530334 second address: 5530366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ax, 7017h 0x00000012 call 00007FD228B1E7CCh 0x00000017 pop eax 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530366 second address: 553037F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 245Dh 0x00000007 mov eax, 75AAA959h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f test esi, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop esi 0x00000016 mov esi, edi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 553037F second address: 5530473 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD29A9947BBh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FD228B1E7CEh 0x00000016 xor ch, 00000048h 0x00000019 jmp 00007FD228B1E7CBh 0x0000001e popfd 0x0000001f jmp 00007FD228B1E7D8h 0x00000024 popad 0x00000025 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002c jmp 00007FD228B1E7D0h 0x00000031 mov ecx, esi 0x00000033 jmp 00007FD228B1E7D0h 0x00000038 je 00007FD29A994769h 0x0000003e jmp 00007FD228B1E7D0h 0x00000043 test byte ptr [77436968h], 00000002h 0x0000004a pushad 0x0000004b mov ax, 224Dh 0x0000004f pushfd 0x00000050 jmp 00007FD228B1E7CAh 0x00000055 sub cx, FD68h 0x0000005a jmp 00007FD228B1E7CBh 0x0000005f popfd 0x00000060 popad 0x00000061 jne 00007FD29A99473Dh 0x00000067 pushad 0x00000068 pushfd 0x00000069 jmp 00007FD228B1E7D4h 0x0000006e jmp 00007FD228B1E7D5h 0x00000073 popfd 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530473 second address: 553049D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov edx, dword ptr [ebp+0Ch] 0x0000000a jmp 00007FD22947DF89h 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 mov bx, si 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 553049D second address: 55304F7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD228B1E7D6h 0x00000008 and cx, 9FB8h 0x0000000d jmp 00007FD228B1E7CBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov cx, CBEFh 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c movsx ebx, cx 0x0000001f mov esi, 42139D83h 0x00000024 popad 0x00000025 xchg eax, ebx 0x00000026 jmp 00007FD228B1E7D6h 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55304F7 second address: 55304FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55304FB second address: 5530501 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530501 second address: 553056E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD22947DF82h 0x00000009 or ecx, 089E3BA8h 0x0000000f jmp 00007FD22947DF7Bh 0x00000014 popfd 0x00000015 mov dx, si 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FD22947DF7Bh 0x00000023 add cx, 08EEh 0x00000028 jmp 00007FD22947DF89h 0x0000002d popfd 0x0000002e call 00007FD22947DF80h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 553056E second address: 55305F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xchg eax, ebx 0x00000007 pushad 0x00000008 push edi 0x00000009 pushfd 0x0000000a jmp 00007FD228B1E7D8h 0x0000000f and al, FFFFFFC8h 0x00000012 jmp 00007FD228B1E7CBh 0x00000017 popfd 0x00000018 pop esi 0x00000019 movsx ebx, ax 0x0000001c popad 0x0000001d push dword ptr [ebp+14h] 0x00000020 pushad 0x00000021 mov edx, ecx 0x00000023 call 00007FD228B1E7CAh 0x00000028 pushfd 0x00000029 jmp 00007FD228B1E7D2h 0x0000002e or si, 2858h 0x00000033 jmp 00007FD228B1E7CBh 0x00000038 popfd 0x00000039 pop eax 0x0000003a popad 0x0000003b push dword ptr [ebp+10h] 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FD228B1E7D2h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55305F1 second address: 55305F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55305F7 second address: 55305FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530631 second address: 5530636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530636 second address: 5530656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 0C5FDC60h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ch, 9Fh 0x00000012 jmp 00007FD228B1E7CDh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5530656 second address: 553065B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 552000A second address: 552000F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 552000F second address: 5520015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5520015 second address: 5520019 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5520019 second address: 552003D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD22947DF89h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 552003D second address: 55200A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dx, 9102h 0x0000000f jmp 00007FD228B1E7D3h 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FD228B1E7D6h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e movzx esi, bx 0x00000021 mov di, E95Eh 0x00000025 popad 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a call 00007FD228B1E7CDh 0x0000002f pop esi 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5571A94 second address: 5571AD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 29D87F57h 0x00000008 mov dh, ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 mov esi, edi 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 popad 0x00000017 push 0000007Fh 0x00000019 jmp 00007FD22947DF89h 0x0000001e push 00000001h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD22947DF7Dh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5571AD7 second address: 5571AE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5571AE7 second address: 5571AF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5571AF8 second address: 5571AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5571AFC second address: 5571B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5571B00 second address: 5571B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5571B06 second address: 5571B0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5571B0C second address: 5571B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5571B10 second address: 5571B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D02AD second address: 54D02CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D02CA second address: 54D0344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 84A2h 0x00000007 jmp 00007FD22947DF83h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ecx 0x00000010 jmp 00007FD22947DF86h 0x00000015 push eax 0x00000016 pushad 0x00000017 mov esi, ebx 0x00000019 mov edi, 5A698480h 0x0000001e popad 0x0000001f xchg eax, ecx 0x00000020 pushad 0x00000021 mov ch, dh 0x00000023 mov edx, eax 0x00000025 popad 0x00000026 and dword ptr [ebp-04h], 00000000h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007FD22947DF85h 0x00000033 and cx, 8136h 0x00000038 jmp 00007FD22947DF81h 0x0000003d popfd 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D0344 second address: 54D035B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D035B second address: 54D0392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-04h] 0x0000000e jmp 00007FD22947DF7Eh 0x00000013 nop 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D0392 second address: 54D0396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D0396 second address: 54D03B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D03B3 second address: 54D03B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D03B9 second address: 54D040C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dl, 0Dh 0x0000000f pushfd 0x00000010 jmp 00007FD22947DF80h 0x00000015 and al, FFFFFFD8h 0x00000018 jmp 00007FD22947DF7Bh 0x0000001d popfd 0x0000001e popad 0x0000001f nop 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FD22947DF80h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D040C second address: 54D0412 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D0412 second address: 54D0418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D0418 second address: 54D041C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D041C second address: 54D0420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D045E second address: 54D0464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D0464 second address: 54D0468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54D0468 second address: 54D04D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FD228B1E7D4h 0x00000014 adc eax, 23E9FB58h 0x0000001a jmp 00007FD228B1E7CBh 0x0000001f popfd 0x00000020 mov bh, cl 0x00000022 popad 0x00000023 js 00007FD29988A3CDh 0x00000029 jmp 00007FD228B1E7CBh 0x0000002e mov eax, dword ptr [ebp-04h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FD228B1E7D5h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54B0B2A second address: 54B0B6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD22947DF87h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FD22947DF84h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD22947DF7Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54B0B6F second address: 54B0B9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD228B1E7D6h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 mov di, si 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 54B0B9D second address: 54B0BDC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD22947DF88h 0x00000008 add si, 8948h 0x0000000d jmp 00007FD22947DF7Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov cx, 38BFh 0x00000019 popad 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov esi, ebx 0x00000020 mov edx, 7A2E3B8Eh 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55600BB second address: 556012D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD228B1E7CCh 0x00000011 adc cl, 00000058h 0x00000014 jmp 00007FD228B1E7CBh 0x00000019 popfd 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FD228B1E7CBh 0x00000024 and ax, E01Eh 0x00000029 jmp 00007FD228B1E7D9h 0x0000002e popfd 0x0000002f popad 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 556012D second address: 5560131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5560131 second address: 5560135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5560135 second address: 556013B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 556013B second address: 556014B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 556014B second address: 556014F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510D1C second address: 5510D3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dl, F5h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD228B1E7D3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510D3C second address: 5510D90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 2EC1A0AAh 0x00000008 pushfd 0x00000009 jmp 00007FD22947DF7Bh 0x0000000e add esi, 7CBA654Eh 0x00000014 jmp 00007FD22947DF89h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e pushad 0x0000001f jmp 00007FD22947DF87h 0x00000024 push eax 0x00000025 push edx 0x00000026 mov edi, eax 0x00000028 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510D90 second address: 5510DAD instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FD228B1E7CCh 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510DAD second address: 5510DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510DB1 second address: 5510DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5510DB7 second address: 5510DC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5590923 second address: 5590975 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 jmp 00007FD228B1E7CDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FD228B1E7CEh 0x00000013 mov ebp, esp 0x00000015 jmp 00007FD228B1E7D0h 0x0000001a push dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FD228B1E7D7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55909CD second address: 55909E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF88h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55909E9 second address: 55909ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55909ED second address: 5590A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 movzx eax, al 0x0000000b pushad 0x0000000c mov esi, 7F5D493Fh 0x00000011 popad 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5590A06 second address: 5590A1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5550563 second address: 5550582 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5550582 second address: 5550586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5550586 second address: 555058C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 555058C second address: 5550593 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 3Eh 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5550593 second address: 55505AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FD22947DF7Ah 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55505AD second address: 55505B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55505B3 second address: 55505EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD22947DF82h 0x00000008 pop ecx 0x00000009 mov ecx, edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and esp, FFFFFFF0h 0x00000011 pushad 0x00000012 movsx edi, ax 0x00000015 mov ebx, ecx 0x00000017 popad 0x00000018 sub esp, 44h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FD22947DF7Dh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55505EA second address: 55505FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 55505FA second address: 5550612 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe RDTSC instruction interceptor: First address: 5550612 second address: 5550616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\installer.exe Special instruction interceptor: First address: CBD25E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\installer.exe Special instruction interceptor: First address: CD199E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\installer.exe Special instruction interceptor: First address: D48510 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\installer.exe Special instruction interceptor: First address: CBBB23 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 46D25E instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 48199E instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 4F8510 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 46BB23 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 127D25E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 129199E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 1308510 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 127BB23 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_0559088A rdtsc 0_2_0559088A
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\installer.exe Window / User API: threadDelayed 1023 Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Window / User API: threadDelayed 990 Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Window / User API: threadDelayed 391 Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Window / User API: threadDelayed 1068 Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Window / User API: threadDelayed 1105 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1163 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 403 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1103 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1067 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1191 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1080 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 374 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1104 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1180 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1154 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 400 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1107 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1109 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1113 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 401 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1110 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\installer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\installer.exe TID: 5724 Thread sleep time: -44022s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 3460 Thread sleep count: 1023 > 30 Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 3460 Thread sleep time: -2047023s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 4620 Thread sleep count: 102 > 30 Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 5712 Thread sleep count: 990 > 30 Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 5712 Thread sleep time: -1980990s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 4620 Thread sleep count: 123 > 30 Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 6252 Thread sleep count: 391 > 30 Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 3108 Thread sleep count: 1068 > 30 Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 3108 Thread sleep time: -2137068s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 1012 Thread sleep count: 1105 > 30 Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 1012 Thread sleep time: -2211105s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6960 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6960 Thread sleep time: -72036s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4972 Thread sleep count: 1163 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4972 Thread sleep time: -2327163s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2496 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2496 Thread sleep count: 137 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2748 Thread sleep count: 403 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4304 Thread sleep count: 1103 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4304 Thread sleep time: -2207103s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6184 Thread sleep count: 1067 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6184 Thread sleep time: -2135067s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6684 Thread sleep count: 1191 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6684 Thread sleep time: -2383191s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3268 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4988 Thread sleep count: 1080 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4988 Thread sleep time: -2161080s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3268 Thread sleep count: 122 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4568 Thread sleep count: 374 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3504 Thread sleep count: 1104 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3504 Thread sleep time: -2209104s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4000 Thread sleep count: 1180 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4000 Thread sleep time: -2361180s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4196 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4196 Thread sleep time: -66033s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1428 Thread sleep count: 1154 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1428 Thread sleep time: -2309154s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7024 Thread sleep count: 168 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3820 Thread sleep count: 400 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2404 Thread sleep count: 1107 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2404 Thread sleep time: -2215107s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4052 Thread sleep count: 1109 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4052 Thread sleep time: -2219109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6316 Thread sleep time: -54027s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5668 Thread sleep count: 1113 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5668 Thread sleep time: -2227113s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4368 Thread sleep count: 149 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6780 Thread sleep count: 401 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5840 Thread sleep count: 1110 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5840 Thread sleep time: -2221110s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: RageMP131.exe, RageMP131.exe, 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000007.00000002.3366635395.0000000000C96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_80A358DA2
Source: MPGPH131.exe, 00000007.00000003.2212616312.0000000000C96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}G
Source: installer.exe, 00000000.00000002.3366357434.00000000013F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}D
Source: RageMP131.exe, 0000000C.00000002.3354916992.0000000000D65000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: installer.exe, 00000000.00000002.3366357434.0000000001448000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}A
Source: RageMP131.exe, 00000008.00000002.3354481282.00000000008CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\5
Source: RageMP131.exe, 0000000C.00000002.3354916992.0000000000D65000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}8
Source: RageMP131.exe, 0000000C.00000002.3354916992.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_80A358DA
Source: RageMP131.exe, 0000000C.00000002.3354916992.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&#
Source: RageMP131.exe, 0000000C.00000003.2359805794.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: installer.exe, 00000000.00000002.3366357434.0000000001434000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3366350121.0000000001675000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3366635395.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3354916992.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: installer.exe, 00000000.00000002.3366357434.0000000001434000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&X
Source: installer.exe, 00000000.00000002.3366357434.00000000013CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}+
Source: RageMP131.exe, 00000008.00000002.3354481282.0000000000904000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 0000000C.00000002.3354916992.0000000000D5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*
Source: installer.exe, 00000000.00000002.3366247638.000000000135B000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d
Source: installer.exe, 00000000.00000002.3366357434.000000000143F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&165
Source: MPGPH131.exe, 00000006.00000002.3366350121.0000000001640000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}^1{v
Source: RageMP131.exe, 00000008.00000002.3354481282.0000000000904000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: RageMP131.exe, 00000008.00000002.3353547935.00000000003FC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}X
Source: MPGPH131.exe, 00000007.00000002.3366317336.0000000000AFC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}T
Source: installer.exe, 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 00000007.00000002.3366635395.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\Desktop\installer.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\installer.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_054E010D Start: 054E014C End: 054E0150 6_2_054E010D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_04CA0E07 Start: 04CA0ED7 End: 04CA0E8C 7_2_04CA0E07
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_052E0235 Start: 052E0323 End: 052E031F 12_2_052E0235
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\installer.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_0559088A rdtsc 0_2_0559088A
Source: installer.exe, 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: o(c}>Program Manager
Source: installer.exe, installer.exe, 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, RageMP131.exe, 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: (c}>Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\installer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\installer.exe Code function: 0_2_009C361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_009C361D
Source: C:\Users\user\Desktop\installer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: installer.exe PID: 4868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 4828, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 6108, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: installer.exe PID: 4868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 4828, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 6108, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1464451 Sample: installer.exe Startdate: 28/06/2024 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected RisePro Stealer 2->40 42 4 other signatures 2->42 7 installer.exe 1 9 2->7         started        12 RageMP131.exe 2 2->12         started        14 MPGPH131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 77.91.77.66, 49712, 49713, 49714 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Found stalling execution ending in API Sleep call 7->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Tries to detect virtualization through RDTSC time measurements 7->50 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        52 Multi AV Scanner detection for dropped file 12->52 54 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->54 56 Machine Learning detection for dropped file 12->56 58 Tries to evade debugger and weak emulator (self modifying code) 14->58 60 Hides threads from debuggers 14->60 62 Potentially malicious time measurement code found 14->62 64 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->64 66 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->66 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.91.77.66
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true