Windows Analysis Report
jUlAlD6KHz.exe

Overview

General Information

Sample name: jUlAlD6KHz.exe
renamed because original name is a hash value
Original sample name: 7d9b6f9242168dc0571a8b83e50d1256.exe
Analysis ID: 1417236
MD5: 7d9b6f9242168dc0571a8b83e50d1256
SHA1: 145c45bbd8b3ea17c883b96242ecf54429ab80ae
SHA256: 5c3c9f8ec4815cc85cc6684cfb32f285d7016c9dd8568038a71bb77714e8194b
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Adds extensions / path to Windows Defender exclusion list (Registry)
Connects to many ports of the same IP (likely port scanning)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Group Policy settings
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Windows Defender Exclusions Added - Registry
Steals Internet Explorer cookies
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: jUlAlD6KHz.exe Avira: detected
Antivirus detection for URL or domain
Source: http://193.233.132.167/cost/lenin.exe URL Reputation: Label: malware
Source: http://193.233.132.216:57893/hera/amadka.exeom Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exenfinitecoin Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exe.ll Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exeunt.live.com Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/lenin.exeP Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exe) Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/lenin.exeger Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exeLitecoinH8 Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/lenin.exeorynet Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exeamadka. Avira URL Cloud: Label: malware
Source: http://193.233.132.216:57893/hera/amadka.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exei Avira URL Cloud: Label: malware
Source: http://193.233.132.216:57893/hera/amadka.exeP-B; Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exeUser Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/lenin.exeS Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/lenin.exe~ Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/lenin.exenal Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exem Avira URL Cloud: Label: malware
Source: http://193.233.132.216:57893/hera/amadka.exe43 Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exet Avira URL Cloud: Label: malware
Source: http://193.233.132.216:57893/hera/amadka.exeta Avira URL Cloud: Label: malware
Source: http://193.233.132.216:57893/hera/amadka.exeomW Avira URL Cloud: Label: malware
Source: http://193.233.132.216:57893/hera/amadka.exe43A Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exeka.exeomr Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exe) Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: HEUR/AGEN.1313517
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: HEUR/AGEN.1313517
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: jUlAlD6KHz.exe ReversingLabs: Detection: 65%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: jUlAlD6KHz.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_0096F8D0 CryptUnprotectData,CryptUnprotectData, 0_2_0096F8D0
Uses 32bit PE files
Source: jUlAlD6KHz.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49722 version: TLS 1.2

Change of critical system settings
barindex
Adds extensions / path to Windows Defender exclusion list (Registry)
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{0C52D293-93AF-4DB3-8012-32E2FB2DAC51}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{0C52D293-93AF-4DB3-8012-32E2FB2DAC51}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{796A6376-0454-455F-AACF-D926BD4DD768}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{796A6376-0454-455F-AACF-D926BD4DD768}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{642526A1-CA57-422E-8196-D9D6C17E634B}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{642526A1-CA57-422E-8196-D9D6C17E634B}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_0095A160 GetFileAttributesA,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error, 0_2_0095A160
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00A2C7AB FindFirstFileExW, 0_2_00A2C7AB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00460060 FindFirstFileA,FindNextFileA, 16_2_00460060
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0044A160 GetFileAttributesA,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error, 16_2_0044A160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0051C7AB FindFirstFileExW, 16_2_0051C7AB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00460060 FindFirstFileA,FindNextFileA, 17_2_00460060
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0044A160 GetFileAttributesA,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error, 17_2_0044A160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0051C7AB FindFirstFileExW, 17_2_0051C7AB

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.7:49700 -> 193.233.132.74:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.74:58709 -> 192.168.2.7:49700
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.74:58709 -> 192.168.2.7:49700
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.74:58709 -> 192.168.2.7:49703
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.74:58709 -> 192.168.2.7:49704
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49700 -> 193.233.132.74:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49703 -> 193.233.132.74:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49704 -> 193.233.132.74:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.74:58709 -> 192.168.2.7:49709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49709 -> 193.233.132.74:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.74:58709 -> 192.168.2.7:49716
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49716 -> 193.233.132.74:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.74:58709 -> 192.168.2.7:49709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.74:58709 -> 192.168.2.7:49716
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49700 -> 193.233.132.74:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View IP Address: 172.67.75.166 172.67.75.166
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0045DDC0 std::_Throw_Cpp_error,std::_Throw_Cpp_error,recv,setsockopt,setsockopt,recv,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,recv,Sleep,setsockopt,Sleep,recv,std::_Throw_Cpp_error,std::_Throw_Cpp_error,setsockopt,Sleep, 16_2_0045DDC0
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1893108875.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1971742701.0000000001531000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe)
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exeLitecoinH8
Source: RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exeamadka.
Source: MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exenfinitecoin
Source: MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exeunt.live.com
Source: jUlAlD6KHz.exe, 00000000.00000003.1893037786.0000000001543000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1893108875.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1971742701.0000000001531000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exeP
Source: MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exeS
Source: MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exeger
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exenal
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exeorynet
Source: RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe~
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exe
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exe)
Source: RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exe.ll
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exeUser
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1893108875.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1971742701.0000000001531000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exei
Source: jUlAlD6KHz.exe, 00000000.00000003.1893108875.00000000014F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exeka.exeomr
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exem
Source: MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exet
Source: jUlAlD6KHz.exe, 00000000.00000003.1893037786.0000000001543000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1893108875.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1971742701.0000000001531000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.216:57893/hera/amadka.exe
Source: MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.216:57893/hera/amadka.exe43
Source: RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.216:57893/hera/amadka.exe43A
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.216:57893/hera/amadka.exeP-B;
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.216:57893/hera/amadka.exeom
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.216:57893/hera/amadka.exeomW
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.216:57893/hera/amadka.exeta
Source: Amcache.hve.34.dr String found in binary or memory: http://upx.sf.net
Source: jUlAlD6KHz.exe, 00000000.00000002.2132216693.0000000000951000.00000040.00000001.01000000.00000003.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1237843227.0000000005220000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.1296249635.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2202957067.0000000000441000.00000040.00000001.01000000.00000006.sdmp, MPGPH131.exe, 00000011.00000003.1296332877.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2179282109.0000000000441000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000014.00000003.1376086119.0000000005230000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2132330803.0000000000D41000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000018.00000002.2148843671.0000000000D41000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000018.00000003.1453811309.0000000004E60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: jUlAlD6KHz.exe, 00000000.00000003.1990058251.00000000063BC000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1985260356.0000000006394000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1987625357.00000000063A4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2104973520.0000000005D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2098138227.0000000005D54000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2100446983.0000000005D65000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2085083134.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2078315712.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2080013985.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1956274175.0000000006253000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1957384922.0000000006263000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1960091944.0000000006272000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1959042330.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1960405646.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1965167827.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, hgVGsEfQ9x09Web Data.20.dr, L38Flzesp71fWeb Data.24.dr, qpr6XN5mg9uLWeb Data.0.dr, MusJyEihJF98Web Data.17.dr, VxKjJB6X6MXdWeb Data.16.dr, X2n6swCXJ031Web Data.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: jUlAlD6KHz.exe, 00000000.00000003.1990058251.00000000063BC000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1985260356.0000000006394000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1987625357.00000000063A4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2104973520.0000000005D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2098138227.0000000005D54000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2100446983.0000000005D65000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2085083134.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2078315712.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2080013985.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1956274175.0000000006253000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1957384922.0000000006263000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1960091944.0000000006272000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1959042330.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1960405646.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1965167827.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, hgVGsEfQ9x09Web Data.20.dr, L38Flzesp71fWeb Data.24.dr, qpr6XN5mg9uLWeb Data.0.dr, MusJyEihJF98Web Data.17.dr, VxKjJB6X6MXdWeb Data.16.dr, X2n6swCXJ031Web Data.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: jUlAlD6KHz.exe, 00000000.00000003.1990058251.00000000063BC000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1985260356.0000000006394000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1987625357.00000000063A4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2104973520.0000000005D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2098138227.0000000005D54000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2100446983.0000000005D65000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2085083134.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2078315712.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2080013985.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1956274175.0000000006253000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1957384922.0000000006263000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1960091944.0000000006272000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1959042330.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1960405646.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1965167827.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, hgVGsEfQ9x09Web Data.20.dr, L38Flzesp71fWeb Data.24.dr, qpr6XN5mg9uLWeb Data.0.dr, MusJyEihJF98Web Data.17.dr, VxKjJB6X6MXdWeb Data.16.dr, X2n6swCXJ031Web Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: jUlAlD6KHz.exe, 00000000.00000003.1990058251.00000000063BC000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1985260356.0000000006394000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1987625357.00000000063A4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2104973520.0000000005D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2098138227.0000000005D54000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2100446983.0000000005D65000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2085083134.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2078315712.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2080013985.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1956274175.0000000006253000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1957384922.0000000006263000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1960091944.0000000006272000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1959042330.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1960405646.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1965167827.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, hgVGsEfQ9x09Web Data.20.dr, L38Flzesp71fWeb Data.24.dr, qpr6XN5mg9uLWeb Data.0.dr, MusJyEihJF98Web Data.17.dr, VxKjJB6X6MXdWeb Data.16.dr, X2n6swCXJ031Web Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1893108875.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1971742701.0000000001531000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/F
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.437
Source: RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43S
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1893108875.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2204526510.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2137292986.00000000016B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.165.48.43
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.165.48.43P
Source: MPGPH131.exe, 00000011.00000002.2182717521.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.165.48.43Q
Source: jUlAlD6KHz.exe, 00000000.00000003.1990058251.00000000063BC000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1985260356.0000000006394000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1987625357.00000000063A4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2104973520.0000000005D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2098138227.0000000005D54000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2100446983.0000000005D65000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2085083134.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2078315712.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2080013985.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1956274175.0000000006253000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1957384922.0000000006263000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1960091944.0000000006272000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1959042330.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1960405646.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1965167827.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, hgVGsEfQ9x09Web Data.20.dr, L38Flzesp71fWeb Data.24.dr, qpr6XN5mg9uLWeb Data.0.dr, MusJyEihJF98Web Data.17.dr, VxKjJB6X6MXdWeb Data.16.dr, X2n6swCXJ031Web Data.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: jUlAlD6KHz.exe, 00000000.00000003.1990058251.00000000063BC000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1985260356.0000000006394000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1987625357.00000000063A4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2104973520.0000000005D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2098138227.0000000005D54000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2100446983.0000000005D65000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2085083134.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2078315712.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2080013985.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1956274175.0000000006253000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1957384922.0000000006263000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1960091944.0000000006272000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1959042330.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1960405646.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1965167827.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, hgVGsEfQ9x09Web Data.20.dr, L38Flzesp71fWeb Data.24.dr, qpr6XN5mg9uLWeb Data.0.dr, MusJyEihJF98Web Data.17.dr, VxKjJB6X6MXdWeb Data.16.dr, X2n6swCXJ031Web Data.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: jUlAlD6KHz.exe, 00000000.00000003.1990058251.00000000063BC000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1985260356.0000000006394000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1987625357.00000000063A4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2104973520.0000000005D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2098138227.0000000005D54000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2100446983.0000000005D65000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2085083134.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2078315712.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2080013985.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1956274175.0000000006253000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1957384922.0000000006263000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1960091944.0000000006272000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1959042330.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1960405646.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1965167827.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, hgVGsEfQ9x09Web Data.20.dr, L38Flzesp71fWeb Data.24.dr, qpr6XN5mg9uLWeb Data.0.dr, MusJyEihJF98Web Data.17.dr, VxKjJB6X6MXdWeb Data.16.dr, X2n6swCXJ031Web Data.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: RageMP131.exe, 00000014.00000002.2137292986.000000000165E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/-
Source: MPGPH131.exe, 00000011.00000002.2182717521.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/C:
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1893108875.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2204526510.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2182717521.00000000010E3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: jUlAlD6KHz.exe, 00000000.00000002.2132216693.0000000000951000.00000040.00000001.01000000.00000003.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1237843227.0000000005220000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.1296249635.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2202957067.0000000000441000.00000040.00000001.01000000.00000006.sdmp, MPGPH131.exe, 00000011.00000003.1296332877.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2179282109.0000000000441000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000014.00000003.1376086119.0000000005230000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2132330803.0000000000D41000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000018.00000002.2148843671.0000000000D41000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000018.00000003.1453811309.0000000004E60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/l
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E1D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2204526510.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2182717521.00000000010E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2182717521.000000000108A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2137292986.000000000165E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.2146898769.00000000009E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43
Source: RageMP131.exe, 00000014.00000002.2137292986.000000000165E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43B
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43G
Source: RageMP131.exe, 00000018.00000002.2146898769.00000000009E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43N
Source: RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43b
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43g
Source: MPGPH131.exe, 00000011.00000002.2182717521.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43r
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2204526510.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2182717521.000000000108A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/102.165.48.43
Source: 3b6N2Xdh3CYwplaces.sqlite.20.dr String found in binary or memory: https://support.mozilla.org
Source: 3b6N2Xdh3CYwplaces.sqlite.20.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 3b6N2Xdh3CYwplaces.sqlite.20.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: RageMP131.exe, 00000014.00000002.2137292986.0000000001713000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.k
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.0000000001543000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000002.2136263704.000000000148E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2204526510.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2204526510.0000000000E1D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2157408474.0000000001145000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183337078.0000000001145000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2182717521.000000000108A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2137292986.000000000165E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2150286222.0000000006210000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2150286222.0000000006246000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.2155476690.0000000005D3F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.2146898769.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.2146898769.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, ZC9N6dBzS5ZEt9m1PmZDOPh.zip.0.dr, VKmo9cHGC7A78S8pIPnaIQM.zip.20.dr, q54ck9WjU916t0raHCeE5cn.zip.24.dr, lj9CfpGnnFdMRw3dXDPtKQ6.zip.17.dr, onJm2E6cdj2U7BbKnzc2Vlq.zip.16.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTDEFAULT
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTII$=
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.0000000001543000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTM
Source: RageMP131.exe, 00000018.00000002.2155476690.0000000005D3F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTQQT
Source: MPGPH131.exe, 00000011.00000003.2157408474.0000000001145000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183337078.0000000001145000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTQd
Source: RageMP131.exe, 00000014.00000002.2137292986.000000000165E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTUR
Source: MPGPH131.exe, 00000011.00000003.2157408474.0000000001145000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183337078.0000000001145000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTW
Source: MPGPH131.exe, 00000011.00000002.2182717521.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTu
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1983956022.0000000005D64000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.16.dr, passwords.txt.24.dr, passwords.txt.20.dr, passwords.txt.0.dr, passwords.txt.17.dr String found in binary or memory: https://t.me/risepro_bot
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1971742701.0000000001531000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botM
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botSS
Source: MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botSS$
Source: MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botW
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botcu
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1971742701.0000000001531000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlater
Source: RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botp
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro
Source: RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botu
Source: jUlAlD6KHz.exe, 00000000.00000003.1990058251.00000000063BC000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1985260356.0000000006394000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1987625357.00000000063A4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2104973520.0000000005D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2098138227.0000000005D54000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2100446983.0000000005D65000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2085083134.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2078315712.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2080013985.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1956274175.0000000006253000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1957384922.0000000006263000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1960091944.0000000006272000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1959042330.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1960405646.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1965167827.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, hgVGsEfQ9x09Web Data.20.dr, L38Flzesp71fWeb Data.24.dr, qpr6XN5mg9uLWeb Data.0.dr, MusJyEihJF98Web Data.17.dr, VxKjJB6X6MXdWeb Data.16.dr, X2n6swCXJ031Web Data.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: jUlAlD6KHz.exe, 00000000.00000003.1990058251.00000000063BC000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1985260356.0000000006394000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1987625357.00000000063A4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2104973520.0000000005D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2098138227.0000000005D54000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.2100446983.0000000005D65000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2085083134.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2078315712.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2080013985.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1956274175.0000000006253000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1957384922.0000000006263000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1960091944.0000000006272000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1959042330.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1960405646.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1965167827.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, hgVGsEfQ9x09Web Data.20.dr, L38Flzesp71fWeb Data.24.dr, qpr6XN5mg9uLWeb Data.0.dr, MusJyEihJF98Web Data.17.dr, VxKjJB6X6MXdWeb Data.16.dr, X2n6swCXJ031Web Data.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: 3b6N2Xdh3CYwplaces.sqlite.20.dr String found in binary or memory: https://www.mozilla.org
Source: 3b6N2Xdh3CYwplaces.sqlite.20.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: 3b6N2Xdh3CYwplaces.sqlite.20.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2137292986.000000000171E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/e
Source: jUlAlD6KHz.exe, 00000000.00000002.2150254606.000000000637A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2213933698.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2105158973.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2093199607.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2108279592.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2102399685.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2085863050.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2075517497.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2078706949.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2100110148.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2077653413.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2082166036.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2116269238.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2096960773.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2084306097.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2091902515.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2097904662.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2079582915.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2080356523.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2088494243.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2194557706.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/w
Source: 3b6N2Xdh3CYwplaces.sqlite.20.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2137292986.000000000171E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RageMP131.exe, 00000014.00000002.2137292986.000000000171E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ence
Source: MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/et
Source: jUlAlD6KHz.exe, 00000000.00000002.2150254606.000000000637A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2213933698.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2105158973.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2093199607.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2108279592.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2102399685.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2085863050.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2075517497.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2078706949.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2100110148.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2077653413.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2082166036.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2116269238.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2096960773.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2084306097.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2091902515.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2097904662.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2079582915.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2080356523.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2088494243.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2194557706.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MPGPH131.exe, 00000011.00000003.2157650721.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2183297107.0000000001134000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/inin
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/inl
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/tes_1
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49722 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: jUlAlD6KHz.exe Static PE information: section name:
Source: jUlAlD6KHz.exe Static PE information: section name: .idata
Source: jUlAlD6KHz.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Creates files inside the system directory
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File created: C:\Windows\System32\GroupPolicy\Machine Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File created: C:\Windows\System32\GroupPolicy\User Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File created: C:\Windows\System32\GroupPolicy\GPT.INI Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009A69A0 0_2_009A69A0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009921C0 0_2_009921C0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009811F0 0_2_009811F0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009B12C0 0_2_009B12C0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00980AE0 0_2_00980AE0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00986A00 0_2_00986A00
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_0097DBB0 0_2_0097DBB0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009ABBD0 0_2_009ABBD0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00984B00 0_2_00984B00
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009A6320 0_2_009A6320
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_0098D4D0 0_2_0098D4D0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00A2BC20 0_2_00A2BC20
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_0095DC50 0_2_0095DC50
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00987C50 0_2_00987C50
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009985E0 0_2_009985E0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009A8670 0_2_009A8670
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_0098A7A0 0_2_0098A7A0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00991FA0 0_2_00991FA0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00A3A73D 0_2_00A3A73D
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00A318B0 0_2_00A318B0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009D90B0 0_2_009D90B0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00A35038 0_2_00A35038
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00A37070 0_2_00A37070
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00A481A4 0_2_00A481A4
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00EE61BE 0_2_00EE61BE
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00999900 0_2_00999900
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009AE160 0_2_009AE160
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009D52B0 0_2_009D52B0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009E2AB0 0_2_009E2AB0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009D1220 0_2_009D1220
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00A3AA7F 0_2_00A3AA7F
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009C4330 0_2_009C4330
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00969360 0_2_00969360
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00958CC0 0_2_00958CC0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009524F0 0_2_009524F0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009D5CE0 0_2_009D5CE0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009E5C10 0_2_009E5C10
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009E1DF0 0_2_009E1DF0
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00A4CD2E 0_2_00A4CD2E
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00980530 0_2_00980530
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009D4D20 0_2_009D4D20
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00A6BE38 0_2_00A6BE38
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009E1630 0_2_009E1630
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009DFE40 0_2_009DFE40
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009D3790 0_2_009D3790
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00460060 16_2_00460060
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0049E160 16_2_0049E160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004821C0 16_2_004821C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004711F0 16_2_004711F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004969A0 16_2_004969A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00476A00 16_2_00476A00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004A12C0 16_2_004A12C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00470AE0 16_2_00470AE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00474B00 16_2_00474B00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00496320 16_2_00496320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0046DBB0 16_2_0046DBB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0044DC50 16_2_0044DC50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00477C50 16_2_00477C50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0051BC20 16_2_0051BC20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0047D4D0 16_2_0047D4D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004885E0 16_2_004885E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00498670 16_2_00498670
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0052A73D 16_2_0052A73D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0047A7A0 16_2_0047A7A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00481FA0 16_2_00481FA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00527070 16_2_00527070
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00525038 16_2_00525038
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004D60E0 16_2_004D60E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_005218B0 16_2_005218B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_009D61BE 16_2_009D61BE
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00489900 16_2_00489900
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_005381A4 16_2_005381A4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0052AA7F 16_2_0052AA7F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004C1220 16_2_004C1220
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004C52B0 16_2_004C52B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004D2AB0 16_2_004D2AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004B4330 16_2_004B4330
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0049BBD0 16_2_0049BBD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004D5C10 16_2_004D5C10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004424F0 16_2_004424F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004C4D20 16_2_004C4D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00470530 16_2_00470530
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004D1DF0 16_2_004D1DF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004D1630 16_2_004D1630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004C3790 16_2_004C3790
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00460060 17_2_00460060
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0049E160 17_2_0049E160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004821C0 17_2_004821C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004711F0 17_2_004711F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004969A0 17_2_004969A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00476A00 17_2_00476A00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004A12C0 17_2_004A12C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00470AE0 17_2_00470AE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00474B00 17_2_00474B00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00496320 17_2_00496320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0046DBB0 17_2_0046DBB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0044DC50 17_2_0044DC50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00477C50 17_2_00477C50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0051BC20 17_2_0051BC20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0047D4D0 17_2_0047D4D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004885E0 17_2_004885E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00498670 17_2_00498670
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0052A73D 17_2_0052A73D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0047A7A0 17_2_0047A7A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00481FA0 17_2_00481FA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00527070 17_2_00527070
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00525038 17_2_00525038
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004D60E0 17_2_004D60E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_005218B0 17_2_005218B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_009D61BE 17_2_009D61BE
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00489900 17_2_00489900
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_005381A4 17_2_005381A4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0052AA7F 17_2_0052AA7F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004C1220 17_2_004C1220
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004C52B0 17_2_004C52B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004D2AB0 17_2_004D2AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004B4330 17_2_004B4330
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0049BBD0 17_2_0049BBD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004D5C10 17_2_004D5C10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004424F0 17_2_004424F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004C4D20 17_2_004C4D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00470530 17_2_00470530
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004D1DF0 17_2_004D1DF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004D1630 17_2_004D1630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004C3790 17_2_004C3790
Found potential string decryption / allocating functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 0051EAB0 appears 54 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 004AE350 appears 44 times
One or more processes crash
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7996 -s 1928
Sample file is different than original file name gathered from version info
Source: jUlAlD6KHz.exe, 00000000.00000002.2138885773.0000000002F70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs jUlAlD6KHz.exe
Source: jUlAlD6KHz.exe, 00000000.00000002.2132490634.0000000000A83000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs jUlAlD6KHz.exe
Source: jUlAlD6KHz.exe Binary or memory string: OriginalFilenamefilezilla.exe4 vs jUlAlD6KHz.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: gpedit.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: dssec.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: dsuiext.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: authz.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpedit.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: activeds.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dssec.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dsuiext.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: authz.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mpr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: netutils.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpedit.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: activeds.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dssec.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dsuiext.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: authz.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mpr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: netutils.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpedit.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: activeds.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dssec.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dsuiext.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: framedynos.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: adsldpc.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: authz.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dsrole.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: logoncli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntdsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpedit.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: activeds.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dssec.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dsuiext.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: framedynos.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: adsldpc.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: authz.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dsrole.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: logoncli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntdsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dpapi.dll
Uses 32bit PE files
Source: jUlAlD6KHz.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: jUlAlD6KHz.exe Static PE information: Section: ZLIB complexity 0.9995343082740213
Source: jUlAlD6KHz.exe Static PE information: Section: qxbkaydy ZLIB complexity 0.9899024714052288
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9995343082740213
Source: RageMP131.exe.0.dr Static PE information: Section: qxbkaydy ZLIB complexity 0.9899024714052288
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9995343082740213
Source: MPGPH131.exe.0.dr Static PE information: Section: qxbkaydy ZLIB complexity 0.9899024714052288
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@16/139@5/4
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7480
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7256:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5440
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7996
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7516
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3964
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File created: C:\Users\user~1\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File read: C:\Windows\SysWOW64\GroupPolicy\gpt.ini Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: jUlAlD6KHz.exe, 00000000.00000002.2132216693.0000000000951000.00000040.00000001.01000000.00000003.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1237843227.0000000005220000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.1296249635.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2202957067.0000000000441000.00000040.00000001.01000000.00000006.sdmp, MPGPH131.exe, 00000011.00000003.1296332877.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2179282109.0000000000441000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000014.00000003.1376086119.0000000005230000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2132330803.0000000000D41000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000018.00000002.2148843671.0000000000D41000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000018.00000003.1453811309.0000000004E60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: jUlAlD6KHz.exe, 00000000.00000002.2132216693.0000000000951000.00000040.00000001.01000000.00000003.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1237843227.0000000005220000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000003.1296249635.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2202957067.0000000000441000.00000040.00000001.01000000.00000006.sdmp, MPGPH131.exe, 00000011.00000003.1296332877.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2179282109.0000000000441000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000014.00000003.1376086119.0000000005230000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2132330803.0000000000D41000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000018.00000002.2148843671.0000000000D41000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000018.00000003.1453811309.0000000004E60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: MPGPH131.exe, 00000010.00000003.2108928764.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2090759284.0000000005DD8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000003.2076137669.0000000005D9A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1962746021.000000000173A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1953642815.000000000623B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000003.1955521556.000000000623B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1958962172.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1958300028.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, sJ8RZK7B7JamLogin Data.0.dr, uIronNuyFcXpLogin Data For Account.24.dr, c5g7z2jIxWq1Login Data.20.dr, fpoCRozfv6JGLogin Data.0.dr, J10fZ3pDqIs0Login Data For Account.16.dr, cLqUZahzyafULogin Data.16.dr, UVzneY97LLMqLogin Data For Account.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RageMP131.exe, 00000018.00000003.1977089217.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000003.1977045741.0000000005D41000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE server_stored_cvc (instrument_id INTEGER PRIMARY KEY NOT NULL, value_encrypted VARCHAR NOT NULL, last_updated_timestamp INTEGER NOT NULL) NOT NULL DEFAULT 0, language_code VARCHAR, label VARCHAR, initial_creator_id INTEGER DEFAULT 0, last_modifier_id INTEGER DEFAULT 0)ber VARCHAR)DEFAULT 0, card_art_url VARCHAR, product_description VARCHAR, card_issuer_id VARCHAR, virtual_card_enrollment_type INTEGER DEFAULT 0);
Source: jUlAlD6KHz.exe ReversingLabs: Detection: 65%
Source: jUlAlD6KHz.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: jUlAlD6KHz.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File read: C:\Users\user\Desktop\jUlAlD6KHz.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\jUlAlD6KHz.exe "C:\Users\user\Desktop\jUlAlD6KHz.exe"
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7996 -s 1928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1244
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 1840
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7516 -s 2016
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7480 -s 2044
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File written: C:\Windows\SysWOW64\GroupPolicy\gpt.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: jUlAlD6KHz.exe Static file information: File size 2308608 > 1048576
Source: jUlAlD6KHz.exe Static PE information: Raw size of qxbkaydy is bigger than: 0x100000 < 0x1a4c00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Unpacked PE file: 0.2.jUlAlD6KHz.exe.950000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qxbkaydy:EW;abjxyqxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;qxbkaydy:EW;abjxyqxs:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 16.2.MPGPH131.exe.440000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qxbkaydy:EW;abjxyqxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;qxbkaydy:EW;abjxyqxs:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 17.2.MPGPH131.exe.440000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qxbkaydy:EW;abjxyqxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;qxbkaydy:EW;abjxyqxs:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 20.2.RageMP131.exe.d40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qxbkaydy:EW;abjxyqxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;qxbkaydy:EW;abjxyqxs:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 24.2.RageMP131.exe.d40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qxbkaydy:EW;abjxyqxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;qxbkaydy:EW;abjxyqxs:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: abjxyqxs
PE file contains sections with non-standard names
Source: jUlAlD6KHz.exe Static PE information: section name:
Source: jUlAlD6KHz.exe Static PE information: section name: .idata
Source: jUlAlD6KHz.exe Static PE information: section name:
Source: jUlAlD6KHz.exe Static PE information: section name: qxbkaydy
Source: jUlAlD6KHz.exe Static PE information: section name: abjxyqxs
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: qxbkaydy
Source: RageMP131.exe.0.dr Static PE information: section name: abjxyqxs
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: qxbkaydy
Source: MPGPH131.exe.0.dr Static PE information: section name: abjxyqxs
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00EE603E push 67B1A6CEh; mov dword ptr [esp], ebx 0_2_00EE6142
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00EE603E push eax; mov dword ptr [esp], 3DFF52EDh 0_2_00EE6150
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00EE603E push ecx; mov dword ptr [esp], 53727687h 0_2_00EE6165
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00EE603E push 710DC8F2h; mov dword ptr [esp], eax 0_2_00EE619B
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00EE6000 push 7D0740D4h; mov dword ptr [esp], ecx 0_2_00EE6005
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00EE6000 push ebp; mov dword ptr [esp], esi 0_2_00EE6013
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00EE6000 push 67B1A6CEh; mov dword ptr [esp], ebx 0_2_00EE6142
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00EE6000 push eax; mov dword ptr [esp], 3DFF52EDh 0_2_00EE6150
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00EE6000 push ecx; mov dword ptr [esp], 53727687h 0_2_00EE6165
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00EE6000 push 710DC8F2h; mov dword ptr [esp], eax 0_2_00EE619B
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00EE61BE push eax; mov dword ptr [esp], 2FF27EE8h 0_2_00EE61BF
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00EE61BE push edx; mov dword ptr [esp], 636A4588h 0_2_00EE6247
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00A2E689 push ecx; ret 0_2_00A2E69C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_009D6000 push 7D0740D4h; mov dword ptr [esp], ecx 16_2_009D6005
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_009D6000 push ebp; mov dword ptr [esp], esi 16_2_009D6013
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_009D6000 push 67B1A6CEh; mov dword ptr [esp], ebx 16_2_009D6142
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_009D6000 push eax; mov dword ptr [esp], 3DFF52EDh 16_2_009D6150
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_009D6000 push ecx; mov dword ptr [esp], 53727687h 16_2_009D6165
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_009D6000 push 710DC8F2h; mov dword ptr [esp], eax 16_2_009D619B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_009D603E push 67B1A6CEh; mov dword ptr [esp], ebx 16_2_009D6142
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_009D603E push eax; mov dword ptr [esp], 3DFF52EDh 16_2_009D6150
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_009D603E push ecx; mov dword ptr [esp], 53727687h 16_2_009D6165
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_009D603E push 710DC8F2h; mov dword ptr [esp], eax 16_2_009D619B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_009D61BE push eax; mov dword ptr [esp], 2FF27EE8h 16_2_009D61BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_009D61BE push edx; mov dword ptr [esp], 636A4588h 16_2_009D6247
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0051E689 push ecx; ret 16_2_0051E69C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_009D6000 push 7D0740D4h; mov dword ptr [esp], ecx 17_2_009D6005
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_009D6000 push ebp; mov dword ptr [esp], esi 17_2_009D6013
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_009D6000 push 67B1A6CEh; mov dword ptr [esp], ebx 17_2_009D6142
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_009D6000 push eax; mov dword ptr [esp], 3DFF52EDh 17_2_009D6150
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_009D6000 push ecx; mov dword ptr [esp], 53727687h 17_2_009D6165
Source: jUlAlD6KHz.exe Static PE information: section name: entropy: 7.981209626424011
Source: jUlAlD6KHz.exe Static PE information: section name: qxbkaydy entropy: 7.950138684482594
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.981209626424011
Source: RageMP131.exe.0.dr Static PE information: section name: qxbkaydy entropy: 7.950138684482594
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.981209626424011
Source: MPGPH131.exe.0.dr Static PE information: section name: qxbkaydy entropy: 7.950138684482594
Drops PE files
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BFE4CD second address: BFE501 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE4194FB1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007FE4194FB1BCh 0x00000010 push esi 0x00000011 jmp 00007FE4194FB1C6h 0x00000016 pop esi 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push edi 0x0000001c pop edi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BFE501 second address: BFE519 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE418E1146Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BFE519 second address: BFE51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C00DC9 second address: C00DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE418E11471h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C00DDF second address: C00E8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4194FB1BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a movzx esi, cx 0x0000000d push 00000000h 0x0000000f mov edx, dword ptr [ebp+122D36D0h] 0x00000015 cmc 0x00000016 push B02D9876h 0x0000001b jmp 00007FE4194FB1C3h 0x00000020 add dword ptr [esp], 4FD2680Ah 0x00000027 mov dword ptr [ebp+122D38C1h], ebx 0x0000002d push 00000003h 0x0000002f xor dword ptr [ebp+122D2767h], edx 0x00000035 push 00000000h 0x00000037 mov esi, edx 0x00000039 push 00000003h 0x0000003b jmp 00007FE4194FB1C1h 0x00000040 push 8C076AB5h 0x00000045 jnp 00007FE4194FB1BEh 0x0000004b jne 00007FE4194FB1B8h 0x00000051 xor dword ptr [esp], 4C076AB5h 0x00000058 sub dword ptr [ebp+122D57A7h], eax 0x0000005e lea ebx, dword ptr [ebp+12449C95h] 0x00000064 and edi, 4223EA97h 0x0000006a xchg eax, ebx 0x0000006b jnc 00007FE4194FB1C5h 0x00000071 push eax 0x00000072 push eax 0x00000073 push edx 0x00000074 je 00007FE4194FB1B8h 0x0000007a push ebx 0x0000007b pop ebx 0x0000007c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C00F08 second address: C00F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C00F0C second address: C00F4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FE4194FB1B8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 jbe 00007FE4194FB1BCh 0x0000002c or dword ptr [ebp+122D36D0h], esi 0x00000032 mov cx, si 0x00000035 push 60CD0A47h 0x0000003a push eax 0x0000003b push edx 0x0000003c push esi 0x0000003d push ecx 0x0000003e pop ecx 0x0000003f pop esi 0x00000040 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C00F4E second address: C00F9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 60CD0AC7h 0x00000011 push edi 0x00000012 push ebx 0x00000013 mov esi, 469A98B6h 0x00000018 pop edx 0x00000019 pop edx 0x0000001a push 00000003h 0x0000001c mov edx, ebx 0x0000001e movsx edi, dx 0x00000021 push 00000000h 0x00000023 jnc 00007FE418E11468h 0x00000029 push 00000003h 0x0000002b mov ecx, dword ptr [ebp+122D2BFEh] 0x00000031 call 00007FE418E11469h 0x00000036 jmp 00007FE418E1146Bh 0x0000003b push eax 0x0000003c push ecx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C01123 second address: C01127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C01127 second address: C011B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FE418E11477h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edi 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 pop edi 0x00000016 mov eax, dword ptr [eax] 0x00000018 jne 00007FE418E1147Fh 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 jmp 00007FE418E11475h 0x00000027 pop eax 0x00000028 mov dword ptr [ebp+122D197Ch], edx 0x0000002e push 00000003h 0x00000030 mov edi, 2847BEF5h 0x00000035 push 00000000h 0x00000037 mov esi, 7C1C58C7h 0x0000003c push 00000003h 0x0000003e movzx esi, dx 0x00000041 push 5DE9FD3Bh 0x00000046 push edx 0x00000047 je 00007FE418E1146Ch 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C011B1 second address: C011D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 add dword ptr [esp], 621602C5h 0x0000000c mov di, E8D8h 0x00000010 lea ebx, dword ptr [ebp+12449CA9h] 0x00000016 adc si, C513h 0x0000001b push eax 0x0000001c push eax 0x0000001d jg 00007FE4194FB1BCh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C146E1 second address: C146E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C146E5 second address: C1470E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4194FB1BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE4194FB1C7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C211B0 second address: C211C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418E1146Fh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C211C9 second address: C211D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE4194FB1B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C21363 second address: C21378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE418E11466h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FE418E11466h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C21378 second address: C2137C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C2137C second address: C21382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C21382 second address: C21388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C21388 second address: C2138D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C2138D second address: C21395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C21512 second address: C21526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE418E11470h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C21526 second address: C2152A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C2152A second address: C21530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C216CC second address: C216D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C216D0 second address: C216F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FE418E11466h 0x0000000e jmp 00007FE418E11476h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C21860 second address: C21896 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jbe 00007FE4194FB1B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FE4194FB1CCh 0x00000012 jp 00007FE4194FB1C2h 0x00000018 jl 00007FE4194FB1B6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C21A25 second address: C21A2F instructions: 0x00000000 rdtsc 0x00000002 js 00007FE418E11466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C21A2F second address: C21A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C21A35 second address: C21A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE418E1146Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C21B89 second address: C21B96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FE4194FB1B6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C21FC2 second address: C21FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE418E11476h 0x0000000b jmp 00007FE418E11472h 0x00000010 popad 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C21FF5 second address: C22052 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FE4194FB1BEh 0x00000008 jmp 00007FE4194FB1C3h 0x0000000d pop esi 0x0000000e jnc 00007FE4194FB1B8h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jno 00007FE4194FB1C6h 0x0000001d jmp 00007FE4194FB1C2h 0x00000022 push esi 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C2A538 second address: C2A578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418E1146Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FE418E11471h 0x0000000e popad 0x0000000f push eax 0x00000010 jc 00007FE418E1148Fh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FE418E11477h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C2A578 second address: C2A596 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4194FB1BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d js 00007FE4194FB1C4h 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C2D9EE second address: C2DA0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE418E11471h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C2DBAE second address: C2DBB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C2DBB2 second address: C2DBB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C2E0FA second address: C2E100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30095 second address: C300A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE418E11466h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30472 second address: C30477 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30A46 second address: C30A4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30A8F second address: C30A93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30A93 second address: C30AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE418E11477h 0x0000000b popad 0x0000000c push eax 0x0000000d jg 00007FE418E1146Ch 0x00000013 xchg eax, ebx 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007FE418E11468h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e call 00007FE418E11471h 0x00000033 mov esi, dword ptr [ebp+122D28AAh] 0x00000039 pop edi 0x0000003a push eax 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e jnp 00007FE418E11466h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30AFE second address: C30B02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30C5A second address: C30C60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30CE8 second address: C30CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30CF1 second address: C30CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30E28 second address: C30E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30E2C second address: C30E43 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE418E11466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30E43 second address: C30E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30FAF second address: C30FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30FB3 second address: C30FE0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FE4194FB1C0h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 stc 0x00000012 xchg eax, ebx 0x00000013 push edi 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pop edi 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push edi 0x00000021 pop edi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C30FE0 second address: C30FF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418E11474h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C31E6E second address: C31EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FE4194FB1B8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov esi, 20CD2832h 0x00000028 mov esi, 01C7D062h 0x0000002d push 00000000h 0x0000002f call 00007FE4194FB1C2h 0x00000034 mov si, di 0x00000037 pop edi 0x00000038 push 00000000h 0x0000003a mov edi, 6A4F7327h 0x0000003f xchg eax, ebx 0x00000040 jbe 00007FE4194FB1C2h 0x00000046 jp 00007FE4194FB1BCh 0x0000004c jns 00007FE4194FB1B6h 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FE4194FB1BBh 0x0000005a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C31EDF second address: C31EE4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C32E3A second address: C32E45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C32E45 second address: C32E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007FE418E1146Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C32E54 second address: C32EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push edi 0x00000009 call 00007FE4194FB1B8h 0x0000000e pop edi 0x0000000f mov dword ptr [esp+04h], edi 0x00000013 add dword ptr [esp+04h], 0000001Bh 0x0000001b inc edi 0x0000001c push edi 0x0000001d ret 0x0000001e pop edi 0x0000001f ret 0x00000020 mov edi, dword ptr [ebp+122D371Ah] 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007FE4194FB1B8h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 and edi, dword ptr [ebp+122D2A0Eh] 0x00000048 push 00000000h 0x0000004a add esi, dword ptr [ebp+122D2B06h] 0x00000050 xchg eax, ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 jc 00007FE4194FB1B6h 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C32EC3 second address: C32EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C338A0 second address: C338A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C336C7 second address: C336D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edi 0x0000000a jbe 00007FE418E1146Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C338A4 second address: C33913 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE4194FB1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FE4194FB1B8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 or dword ptr [ebp+122D373Dh], ebx 0x0000002e push 00000000h 0x00000030 sbb di, 1EADh 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007FE4194FB1B8h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 00000015h 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 mov dword ptr [ebp+122D37B4h], edx 0x00000057 movsx edi, bx 0x0000005a push eax 0x0000005b pushad 0x0000005c push eax 0x0000005d pushad 0x0000005e popad 0x0000005f pop eax 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C340CA second address: C340DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE418E1146Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C34C7A second address: C34C8E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE4194FB1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C35A4C second address: C35AC4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007FE418E11466h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jp 00007FE418E11467h 0x00000015 cmc 0x00000016 jmp 00007FE418E11473h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 call 00007FE418E11468h 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], edx 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc edx 0x00000033 push edx 0x00000034 ret 0x00000035 pop edx 0x00000036 ret 0x00000037 push 00000000h 0x00000039 jmp 00007FE418E11476h 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FE418E1146Dh 0x00000046 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C35AC4 second address: C35ACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C35ACA second address: C35ACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C36528 second address: C365A7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE4194FB1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FE4194FB1B8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+122D36D0h] 0x0000002e mov esi, dword ptr [ebp+12452447h] 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007FE4194FB1B8h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 00000016h 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 jmp 00007FE4194FB1C0h 0x00000055 push 00000000h 0x00000057 xchg eax, ebx 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b jnp 00007FE4194FB1B6h 0x00000061 jbe 00007FE4194FB1B6h 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C365A7 second address: C365AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C36305 second address: C3630B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C36D71 second address: C36D83 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007FE418E11466h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3630B second address: C3630F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3AAB4 second address: C3AAB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3B981 second address: C3B985 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C36D83 second address: C36D91 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE418E11466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3C809 second address: C3C822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FE4194FB1B6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007FE4194FB1B8h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3AAB8 second address: C3AAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C36D91 second address: C36D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3D9E7 second address: C3D9F5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE418E11466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3D9F5 second address: C3D9F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3EA81 second address: C3EA85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3EA85 second address: C3EA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3EA8B second address: C3EA9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE418E1146Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3FB3E second address: C3FBA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 jmp 00007FE4194FB1C3h 0x0000000e pop ebx 0x0000000f jne 00007FE4194FB1B8h 0x00000015 popad 0x00000016 nop 0x00000017 mov edi, dword ptr [ebp+122D288Ah] 0x0000001d push 00000000h 0x0000001f adc di, 7027h 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007FE4194FB1B8h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 movsx edi, si 0x00000043 xchg eax, esi 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FE4194FB1BAh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C41A77 second address: C41B32 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FE418E11473h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jnp 00007FE418E11471h 0x00000012 nop 0x00000013 and ebx, 22B24520h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FE418E11468h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 add di, 6542h 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push eax 0x0000003f call 00007FE418E11468h 0x00000044 pop eax 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 add dword ptr [esp+04h], 00000014h 0x00000051 inc eax 0x00000052 push eax 0x00000053 ret 0x00000054 pop eax 0x00000055 ret 0x00000056 jmp 00007FE418E1146Ah 0x0000005b mov ebx, dword ptr [ebp+1244BCF3h] 0x00000061 push edx 0x00000062 jmp 00007FE418E11476h 0x00000067 pop edi 0x00000068 xchg eax, esi 0x00000069 jl 00007FE418E1146Eh 0x0000006f jg 00007FE418E11468h 0x00000075 push eax 0x00000076 jng 00007FE418E1146Eh 0x0000007c push ecx 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C42B51 second address: C42B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C43BC4 second address: C43BCE instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE418E11466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C43BCE second address: C43BD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C43BD4 second address: C43BD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C43BD8 second address: C43C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FE4194FB1B8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 sub dword ptr [ebp+12449E40h], edi 0x0000002b push 00000000h 0x0000002d movzx edi, cx 0x00000030 jc 00007FE4194FB1BCh 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007FE4194FB1B8h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 00000018h 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 xchg eax, esi 0x00000053 jmp 00007FE4194FB1BBh 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FE4194FB1C6h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C43C5E second address: C43C68 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE418E1146Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C44BA5 second address: C44BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C44BAA second address: C44BFF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE418E11468h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FE418E11468h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 push ebx 0x00000028 mov dword ptr [ebp+1246526Fh], esi 0x0000002e pop ebx 0x0000002f push 00000000h 0x00000031 sub dword ptr [ebp+1246526Fh], esi 0x00000037 push 00000000h 0x00000039 jmp 00007FE418E1146Ch 0x0000003e push eax 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 push esi 0x00000043 pop esi 0x00000044 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C44BFF second address: C44C11 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE4194FB1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FE4194FB1B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C47FBB second address: C47FD0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FE418E1146Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C47FD0 second address: C47FDD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C47FDD second address: C47FFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418E11472h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FE418E1146Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C47FFE second address: C48004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C48004 second address: C48008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3FD88 second address: C3FD8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C41CB3 second address: C41D33 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE418E11466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE418E11472h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov ebx, dword ptr [ebp+122D2A5Ah] 0x00000020 call 00007FE418E11479h 0x00000025 jmp 00007FE418E1146Dh 0x0000002a pop ebx 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 mov di, B3ACh 0x00000036 mov eax, dword ptr [ebp+122D1235h] 0x0000003c push edi 0x0000003d stc 0x0000003e pop ebx 0x0000003f push FFFFFFFFh 0x00000041 push ecx 0x00000042 jp 00007FE418E11466h 0x00000048 pop edi 0x00000049 mov bx, 072Bh 0x0000004d nop 0x0000004e je 00007FE418E11474h 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C41D33 second address: C41D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C4861F second address: C48645 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007FE418E11466h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE418E11474h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C48645 second address: C48649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C42D12 second address: C42D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C4973F second address: C49745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C49745 second address: C4974A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C4974A second address: C49772 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE4194FB1BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE4194FB1C5h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C460CF second address: C460D5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C4A78F second address: C4A79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FE4194FB1B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C48827 second address: C48848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE418E11479h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C4A8F7 second address: C4A8FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C4B89C second address: C4B8AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE418E1146Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C4D6F0 second address: C4D708 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4194FB1C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C4D708 second address: C4D712 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE418E1146Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C4D712 second address: C4D723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FE4194FB1B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C4D723 second address: C4D727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C4D727 second address: C4D72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C4D72D second address: C4D738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FE418E11466h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BEC0B1 second address: BEC0B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BEC0B7 second address: BEC0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C532B1 second address: C53318 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FE4194FB1BAh 0x00000008 jl 00007FE4194FB1B6h 0x0000000e pop ebx 0x0000000f jl 00007FE4194FB1D4h 0x00000015 jmp 00007FE4194FB1C8h 0x0000001a jnc 00007FE4194FB1B6h 0x00000020 pop edx 0x00000021 pop eax 0x00000022 jc 00007FE4194FB1E7h 0x00000028 jmp 00007FE4194FB1C2h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 jmp 00007FE4194FB1C1h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C53318 second address: C5331C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C53464 second address: C53490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4194FB1C6h 0x00000009 popad 0x0000000a jmp 00007FE4194FB1C1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BEDA45 second address: BEDA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BEDA49 second address: BEDA66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4194FB1C0h 0x00000007 jbe 00007FE4194FB1B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BEDA66 second address: BEDA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5A5CD second address: C5A5D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5A5D1 second address: C5A5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5A6E0 second address: C5A6E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5A6E4 second address: C5A71B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418E11471h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 jmp 00007FE418E11479h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5A825 second address: C5A83F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE4194FB1BCh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5A83F second address: C5A843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5A843 second address: C5A858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b je 00007FE4194FB1C8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5A858 second address: C5A85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5A85C second address: C5A86E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE4194FB1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5A86E second address: C5A872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5A872 second address: C5A878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5A878 second address: C5A88E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE418E11472h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5A88E second address: C5A892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5F7C1 second address: C5F7C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5F7C5 second address: C5F7CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5F7CB second address: C5F82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FE418E11468h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FE418E1146Eh 0x00000013 popad 0x00000014 pushad 0x00000015 jns 00007FE418E1147Ch 0x0000001b pushad 0x0000001c jmp 00007FE418E11476h 0x00000021 jmp 00007FE418E11471h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5F82F second address: C5F83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5EB16 second address: C5EB5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418E1146Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FE418E1147Eh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007FE418E11476h 0x00000016 jmp 00007FE418E1146Ah 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jo 00007FE418E11468h 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5EB5B second address: C5EB77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4194FB1C8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5ECAA second address: C5ECAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5ECAE second address: C5ECB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5EF4E second address: C5EF58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FE418E11466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5F4DD second address: C5F4F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 jg 00007FE4194FB1B6h 0x0000000e jg 00007FE4194FB1B6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5F4F3 second address: C5F4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5F4FA second address: C5F500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5F500 second address: C5F504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C5F504 second address: C5F508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BF953A second address: BF953E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C6509F second address: C650AF instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE4194FB1B6h 0x00000008 jp 00007FE4194FB1B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C64C21 second address: C64C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jo 00007FE418E11466h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C64C33 second address: C64C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE4194FB1B6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE4194FB1C5h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C64C57 second address: C64C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C64C5B second address: C64C82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4194FB1C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a js 00007FE4194FB1EAh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C64C82 second address: C64C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C64C86 second address: C64C90 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE4194FB1B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C658E5 second address: C658E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C658E9 second address: C65903 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE4194FB1C1h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C65903 second address: C6590F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE418E11466h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C6590F second address: C65914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C65914 second address: C65920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FE418E11466h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C65A41 second address: C65A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C65A49 second address: C65A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jne 00007FE418E11466h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C65A56 second address: C65A5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C65BE9 second address: C65BED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C65BED second address: C65C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE4194FB1C7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C65C0C second address: C65C10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C65C10 second address: C65C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C6D397 second address: C6D39B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C6C2A2 second address: C6C2B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE4194FB1C1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C6C835 second address: C6C839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C6C9A2 second address: C6CA0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FE4194FB1B6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FE4194FB1C1h 0x00000010 jmp 00007FE4194FB1C0h 0x00000015 popad 0x00000016 jmp 00007FE4194FB1C0h 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 jo 00007FE4194FB1B6h 0x00000028 popad 0x00000029 pushad 0x0000002a jmp 00007FE4194FB1C5h 0x0000002f jbe 00007FE4194FB1B6h 0x00000035 push eax 0x00000036 pop eax 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C6CCD9 second address: C6CD26 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jng 00007FE418E11466h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007FE418E1147Fh 0x00000012 jmp 00007FE418E11477h 0x00000017 pushad 0x00000018 popad 0x00000019 js 00007FE418E11488h 0x0000001f js 00007FE418E11468h 0x00000025 pushad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FE418E1146Ch 0x0000002e jp 00007FE418E11466h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C6BBB6 second address: C6BBBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C6BBBC second address: C6BBC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C70B79 second address: C70B7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C70B7D second address: C70B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C70B83 second address: C70B94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4194FB1BCh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C70B94 second address: C70BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C75578 second address: C7557E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C74418 second address: C7441E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C7441E second address: C74423 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C74423 second address: C74439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE418E1146Eh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C37686 second address: C3768C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3768C second address: C37690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C37690 second address: C17AEE instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE4194FB1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jp 00007FE4194FB1CDh 0x00000013 jmp 00007FE4194FB1C7h 0x00000018 nop 0x00000019 or cl, FFFFFFF8h 0x0000001c lea eax, dword ptr [ebp+12480437h] 0x00000022 jmp 00007FE4194FB1C3h 0x00000027 sbb edx, 51270620h 0x0000002d push eax 0x0000002e pushad 0x0000002f pushad 0x00000030 push eax 0x00000031 pop eax 0x00000032 js 00007FE4194FB1B6h 0x00000038 popad 0x00000039 jne 00007FE4194FB1CBh 0x0000003f popad 0x00000040 mov dword ptr [esp], eax 0x00000043 mov di, dx 0x00000046 call dword ptr [ebp+1244C1C4h] 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FE4194FB1BCh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3785F second address: C37866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C37866 second address: C3788A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FE4194FB1BDh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FE4194FB1BCh 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C37CF7 second address: C37CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C37CFB second address: C37CFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C37CFF second address: C37D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C37D80 second address: C37D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C37D86 second address: C37DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE418E11479h 0x0000000a popad 0x0000000b mov dword ptr [esp], esi 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FE418E11468h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov edi, 55ED7409h 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push edx 0x00000031 jmp 00007FE418E11472h 0x00000036 pop edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C37EB1 second address: C37EB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C37EB5 second address: C37EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C37EBB second address: C37EC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3846A second address: C3846F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C3846F second address: C384BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4194FB1C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c and di, C827h 0x00000011 push 0000001Eh 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007FE4194FB1B8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d nop 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 push ecx 0x00000032 pop ecx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C384BF second address: C384E2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 je 00007FE418E11466h 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE418E11471h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C387AC second address: C38817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FE4194FB1B8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 lea eax, dword ptr [ebp+1248047Bh] 0x00000028 push 00000000h 0x0000002a push ecx 0x0000002b call 00007FE4194FB1B8h 0x00000030 pop ecx 0x00000031 mov dword ptr [esp+04h], ecx 0x00000035 add dword ptr [esp+04h], 00000015h 0x0000003d inc ecx 0x0000003e push ecx 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 push eax 0x00000043 sub edx, dword ptr [ebp+122D2B56h] 0x00000049 pop edx 0x0000004a push eax 0x0000004b jo 00007FE4194FB1CAh 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FE4194FB1BCh 0x00000058 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C38817 second address: C3886D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FE418E11468h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 xor dl, FFFFFFE0h 0x00000026 lea eax, dword ptr [ebp+12480437h] 0x0000002c nop 0x0000002d pushad 0x0000002e jno 00007FE418E1146Ch 0x00000034 push ecx 0x00000035 push eax 0x00000036 pop eax 0x00000037 pop ecx 0x00000038 popad 0x00000039 push eax 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FE418E11471h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C74782 second address: C7479C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4194FB1C4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C7479C second address: C747AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE418E1146Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C747AC second address: C747B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C747B0 second address: C747B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C751A5 second address: C751A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C7852A second address: C7852E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C7E929 second address: C7E92D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C7E92D second address: C7E93C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C7E93C second address: C7E961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007FE4194FB1B6h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 jno 00007FE4194FB1B6h 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e pop eax 0x0000001f jng 00007FE4194FB1B6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C7E961 second address: C7E965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C7E251 second address: C7E265 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jo 00007FE4194FB1B6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C7E3AF second address: C7E3BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FE418E11466h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C7E3BC second address: C7E3C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C7E3C2 second address: C7E3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE418E1146Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C7E3DC second address: C7E3E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FE4194FB1B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C7E6A5 second address: C7E6B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FE418E11466h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C84120 second address: C84145 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE4194FB1C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FE4194FB1D6h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C847F0 second address: C847F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C847F4 second address: C84819 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jg 00007FE4194FB1B6h 0x0000000d jc 00007FE4194FB1B6h 0x00000013 pop eax 0x00000014 popad 0x00000015 push ebx 0x00000016 jc 00007FE4194FB1B8h 0x0000001c push esi 0x0000001d pop esi 0x0000001e pushad 0x0000001f push edi 0x00000020 pop edi 0x00000021 push edi 0x00000022 pop edi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C38318 second address: C38324 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C38324 second address: C38328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C38328 second address: C38361 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 mov edx, dword ptr [ebp+122D2CAEh] 0x0000000e mov ebx, dword ptr [ebp+12480476h] 0x00000014 jmp 00007FE418E11479h 0x00000019 add eax, ebx 0x0000001b adc cx, 9A7Ch 0x00000020 push eax 0x00000021 push ebx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C38361 second address: C383B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE4194FB1B6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D1A6Eh], edx 0x00000015 push 00000004h 0x00000017 pushad 0x00000018 mov ax, 4D6Fh 0x0000001c mov ebx, dword ptr [ebp+124527F2h] 0x00000022 popad 0x00000023 jc 00007FE4194FB1B8h 0x00000029 mov ecx, edx 0x0000002b nop 0x0000002c ja 00007FE4194FB1C8h 0x00000032 push eax 0x00000033 jo 00007FE4194FB1C2h 0x00000039 jnp 00007FE4194FB1BCh 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C84AE5 second address: C84AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C84AEB second address: C84AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C88EE6 second address: C88EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C89029 second address: C8902D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C8902D second address: C89047 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418E11476h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C89047 second address: C89058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE4194FB1BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C89058 second address: C8907C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418E1146Ah 0x00000007 ja 00007FE418E11466h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jns 00007FE418E1146Ah 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push ebx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C8921E second address: C89224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C89224 second address: C8922A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C8922A second address: C8922E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C89349 second address: C89354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C89354 second address: C89378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE4194FB1C1h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c jnl 00007FE4194FB1BCh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C89378 second address: C8937D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C8937D second address: C8939C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FE4194FB1C7h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C8CF3B second address: C8CF46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE418722666h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C8D0F0 second address: C8D0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C94080 second address: C94088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C94088 second address: C9408C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C941E8 second address: C941F2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE418722666h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C947D8 second address: C947F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jbe 00007FE419596846h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d je 00007FE419596846h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C947F0 second address: C947F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C947F4 second address: C94801 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE419596846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C94801 second address: C94825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE418722672h 0x00000009 pop edx 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jns 00007FE418722666h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C94825 second address: C9482B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C9482B second address: C94848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE418722672h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C94B40 second address: C94B63 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE41959685Bh 0x00000008 jmp 00007FE419596855h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C94B63 second address: C94B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C999B9 second address: C999F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596850h 0x00000007 jmp 00007FE419596852h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007FE419596848h 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 jmp 00007FE41959684Fh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C99B5A second address: C99B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: C9EC27 second address: C9EC3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE41959684Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA5034 second address: CA5038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA5038 second address: CA5043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA5043 second address: CA5054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE41872266Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA5054 second address: CA5059 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA5059 second address: CA505F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA51C0 second address: CA51CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FE419596848h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA54C4 second address: CA54CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA54CC second address: CA54F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jno 00007FE419596846h 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FE419596846h 0x00000017 jmp 00007FE41959684Fh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA54F2 second address: CA54F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA57C2 second address: CA57D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE41959684Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA57D7 second address: CA57DD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA5F42 second address: CA5F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE419596846h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA5F4E second address: CA5F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE41872266Eh 0x0000000a pushad 0x0000000b jmp 00007FE418722676h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jnp 00007FE418722666h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CA4B91 second address: CA4B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CAE126 second address: CAE12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CAE12C second address: CAE13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE419596846h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CAE409 second address: CAE40D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CBC121 second address: CBC127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CBC127 second address: CBC14D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FE418722666h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d jmp 00007FE418722670h 0x00000012 pushad 0x00000013 jns 00007FE418722666h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CBC14D second address: CBC167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE41959684Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FE419596846h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CBC167 second address: CBC16D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CC0793 second address: CC07AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE419596854h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CC07AB second address: CC07CC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FE418722671h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FE418722666h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CC0331 second address: CC034D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE419596857h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CC6E99 second address: CC6EB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE418722678h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CD1A65 second address: CD1A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE419596846h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FE419596846h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CD190E second address: CD191A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE418722672h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CDDC0D second address: CDDC1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnp 00007FE419596846h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CDC9BF second address: CDC9C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CDC9C5 second address: CDC9D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CDC9D1 second address: CDC9EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE418722674h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CDCDD1 second address: CDCDE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE41959684Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CDCDE4 second address: CDCE06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FE418722672h 0x0000000c jnc 00007FE418722666h 0x00000012 js 00007FE418722666h 0x00000018 pop esi 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jbe 00007FE418722666h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CDCE06 second address: CDCE3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596858h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE419596851h 0x00000012 jl 00007FE419596846h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CDCE3D second address: CDCE41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CDD09D second address: CDD0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CDD0A4 second address: CDD0D3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE418722679h 0x00000008 jmp 00007FE41872266Dh 0x0000000d jnp 00007FE418722666h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ecx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jc 00007FE418722666h 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CDD999 second address: CDD99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CDD99D second address: CDD9A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BEF5A8 second address: BEF5DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596858h 0x00000007 jmp 00007FE419596851h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BEF5DA second address: BEF5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BEF5E3 second address: BEF5E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BEF5E9 second address: BEF5F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: BEF5F1 second address: BEF5F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CE1395 second address: CE1399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CE4CCC second address: CE4CFC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE41959685Fh 0x00000008 jmp 00007FE419596859h 0x0000000d pushad 0x0000000e jp 00007FE419596846h 0x00000014 jl 00007FE419596846h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CE4CFC second address: CE4D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CEF122 second address: CEF126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CEF126 second address: CEF12A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CF1CC5 second address: CF1CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CF1CCE second address: CF1D02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FE418722675h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FE41872266Ch 0x00000016 jc 00007FE418722668h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CF8CB8 second address: CF8CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE41959684Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CF8CC6 second address: CF8CD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CF8CD1 second address: CF8CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE41959684Ah 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FE41959684Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CF8CF1 second address: CF8CF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: CF8B60 second address: CF8B7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE419596852h 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D0A098 second address: D0A0A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D0A0A3 second address: D0A0A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D0A0A9 second address: D0A0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D0A0AD second address: D0A0C0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE419596846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push edi 0x0000000c pop edi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop esi 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D0A0C0 second address: D0A0CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D0A0CB second address: D0A0CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D0C1A7 second address: D0C1AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2E338 second address: D2E33E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2E33E second address: D2E342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2E342 second address: D2E346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2E346 second address: D2E375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE418722670h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE418722677h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2E375 second address: D2E3AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596854h 0x00000007 jmp 00007FE419596853h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jbe 00007FE419596846h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2E3AE second address: D2E3B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2E6A5 second address: D2E6AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2E6AA second address: D2E6B5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007FE418722666h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2E813 second address: D2E839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596855h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE41959684Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2E97C second address: D2E99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 jmp 00007FE418722670h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 jnp 00007FE418722666h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2EC8B second address: D2ECA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE419596850h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2F08E second address: D2F094 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2F094 second address: D2F0AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE419596850h 0x00000009 jnp 00007FE419596846h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2F23A second address: D2F244 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE418722666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2F244 second address: D2F274 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE41959685Ch 0x00000008 jmp 00007FE419596854h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FE41959684Bh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2F274 second address: D2F278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2F278 second address: D2F27E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D2F27E second address: D2F29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FE418722672h 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FE418722666h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D30C7B second address: D30C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 jnp 00007FE419596846h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D30C88 second address: D30C8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D30C8D second address: D30C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D338B6 second address: D338BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D338BC second address: D338C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D355EC second address: D355F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D355F2 second address: D355F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D355F8 second address: D355FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D35182 second address: D3518B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D3518B second address: D3518F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: D3518F second address: D35198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54106E2 second address: 54106E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54106E8 second address: 541079E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596857h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FE419596856h 0x00000011 push eax 0x00000012 jmp 00007FE41959684Bh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov dl, ah 0x0000001b mov ax, bx 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 call 00007FE419596859h 0x00000027 pushfd 0x00000028 jmp 00007FE419596850h 0x0000002d add ax, B148h 0x00000032 jmp 00007FE41959684Bh 0x00000037 popfd 0x00000038 pop ecx 0x00000039 call 00007FE419596859h 0x0000003e mov ah, 4Dh 0x00000040 pop edi 0x00000041 popad 0x00000042 pop ebp 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FE41959684Fh 0x0000004a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53D0F59 second address: 53D0F5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53D0F5E second address: 53D0F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53D0F64 second address: 53D0F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FE418722670h 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE418722677h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54506DA second address: 5450747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 movzx esi, bx 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007FE419596856h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FE419596850h 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FE41959684Dh 0x00000020 sub esi, 39C2C0B6h 0x00000026 jmp 00007FE419596851h 0x0000002b popfd 0x0000002c jmp 00007FE419596850h 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450747 second address: 5450769 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 7D84h 0x00000007 mov si, dx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE418722672h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53D0CC1 second address: 53D0CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53D0CC8 second address: 53D0D45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, AD36h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FE418722676h 0x00000012 add ecx, 376BB458h 0x00000018 jmp 00007FE41872266Bh 0x0000001d popfd 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007FE418722674h 0x00000025 xchg eax, ebp 0x00000026 pushad 0x00000027 mov bx, ax 0x0000002a mov si, A4C9h 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 pushfd 0x00000035 jmp 00007FE418722670h 0x0000003a add esi, 0D997918h 0x00000040 jmp 00007FE41872266Bh 0x00000045 popfd 0x00000046 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53D0DC2 second address: 53D0DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53D0DC7 second address: 53D0DCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53D0DCD second address: 53D0DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 545049C second address: 54504C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418722672h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movzx ecx, bx 0x0000000f mov bh, DAh 0x00000011 popad 0x00000012 pop ebp 0x00000013 pushad 0x00000014 mov cx, 18A7h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5420B90 second address: 5420B9B instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 mov ebx, esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450E80 second address: 5450E84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450E84 second address: 5450E8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450E8A second address: 5450EAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE41872266Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE41872266Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450EAD second address: 5450EB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450EB3 second address: 5450ED6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE41872266Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE41872266Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450ED6 second address: 5450F15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596851h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FE41959684Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE419596857h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450F15 second address: 5450F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450F1B second address: 5450F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53E069D second address: 53E06C7 instructions: 0x00000000 rdtsc 0x00000002 call 00007FE418722674h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE41872266Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53E06C7 second address: 53E0704 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE419596857h 0x00000009 and eax, 55C2E87Eh 0x0000000f jmp 00007FE419596859h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53E0704 second address: 53E0714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53E0714 second address: 53E0718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53E0718 second address: 53E071E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 53E071E second address: 53E076C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE41959684Eh 0x00000009 sub eax, 29FD32A8h 0x0000000f jmp 00007FE41959684Bh 0x00000014 popfd 0x00000015 mov ecx, 7451B59Fh 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 mov si, B997h 0x00000024 mov edx, ecx 0x00000026 popad 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FE419596855h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54504EB second address: 5450508 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418722679h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450508 second address: 545050E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 545050E second address: 5450512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450512 second address: 5450528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE41959684Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450528 second address: 5450561 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418722679h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FE418722673h 0x00000014 mov bh, cl 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450561 second address: 545056A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 7117h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 545056A second address: 5450584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE41872266Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450BF9 second address: 5450C59 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE419596852h 0x00000008 adc ax, E4A8h 0x0000000d jmp 00007FE41959684Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007FE419596859h 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FE419596858h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450C59 second address: 5450C68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE41872266Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450C68 second address: 5450CA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, BEh 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FE419596859h 0x00000015 jmp 00007FE41959684Bh 0x0000001a popfd 0x0000001b mov dl, al 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450CA0 second address: 5450D0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418722672h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007FE418722670h 0x00000011 and dword ptr [eax], 00000000h 0x00000014 jmp 00007FE418722670h 0x00000019 and dword ptr [eax+04h], 00000000h 0x0000001d jmp 00007FE418722670h 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov dl, 27h 0x00000028 call 00007FE418722676h 0x0000002d pop ecx 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450D0E second address: 5450D14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450D14 second address: 5450D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5420AA1 second address: 5420B5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE41959684Fh 0x00000009 jmp 00007FE419596853h 0x0000000e popfd 0x0000000f mov edi, eax 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebp 0x00000015 jmp 00007FE419596852h 0x0000001a push eax 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FE419596851h 0x00000022 or ax, 8B06h 0x00000027 jmp 00007FE419596851h 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007FE419596850h 0x00000033 add ax, B1A8h 0x00000038 jmp 00007FE41959684Bh 0x0000003d popfd 0x0000003e popad 0x0000003f xchg eax, ebp 0x00000040 jmp 00007FE419596856h 0x00000045 mov ebp, esp 0x00000047 jmp 00007FE419596850h 0x0000004c pop ebp 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 mov dx, cx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 546013D second address: 54601A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE418722677h 0x00000009 xor cx, D67Eh 0x0000000e jmp 00007FE418722679h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FE418722670h 0x0000001a jmp 00007FE418722675h 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54601A8 second address: 54601AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54601AC second address: 54601BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE41872266Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54601BF second address: 54601C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 4AA5F2FAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54601C9 second address: 5460215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a mov ebx, 08CD269Eh 0x0000000f pop ebx 0x00000010 push eax 0x00000011 mov bh, 6Bh 0x00000013 pop eax 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 push edi 0x00000018 call 00007FE418722674h 0x0000001d pop ecx 0x0000001e pop edi 0x0000001f movzx ecx, dx 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 jmp 00007FE418722673h 0x0000002a pop ebp 0x0000002b pushad 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 540079A second address: 54007A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54007A0 second address: 54007A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54007A4 second address: 54007B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54007B3 second address: 54007B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54007B9 second address: 54007D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE419596853h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5460DCD second address: 5460ED0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418722671h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FE418722677h 0x00000011 sbb ecx, 3413CF5Eh 0x00000017 jmp 00007FE418722679h 0x0000001c popfd 0x0000001d mov edx, esi 0x0000001f popad 0x00000020 xchg eax, ecx 0x00000021 pushad 0x00000022 call 00007FE418722678h 0x00000027 pushfd 0x00000028 jmp 00007FE418722672h 0x0000002d and ax, 25B8h 0x00000032 jmp 00007FE41872266Bh 0x00000037 popfd 0x00000038 pop esi 0x00000039 push edi 0x0000003a jmp 00007FE418722674h 0x0000003f pop ecx 0x00000040 popad 0x00000041 mov eax, dword ptr [778165FCh] 0x00000046 jmp 00007FE418722671h 0x0000004b test eax, eax 0x0000004d jmp 00007FE41872266Eh 0x00000052 je 00007FE48AA55131h 0x00000058 pushad 0x00000059 movzx ecx, bx 0x0000005c call 00007FE418722673h 0x00000061 mov si, B09Fh 0x00000065 pop esi 0x00000066 popad 0x00000067 mov ecx, eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007FE41872266Eh 0x00000070 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5460ED0 second address: 5460F14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 08B4h 0x00000007 mov bx, FC20h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor eax, dword ptr [ebp+08h] 0x00000011 jmp 00007FE419596854h 0x00000016 and ecx, 1Fh 0x00000019 pushad 0x0000001a mov ax, EDBDh 0x0000001e mov ah, A8h 0x00000020 popad 0x00000021 ror eax, cl 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FE419596850h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 542006D second address: 542018C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE41872266Fh 0x00000009 add si, EC9Eh 0x0000000e jmp 00007FE418722679h 0x00000013 popfd 0x00000014 mov ch, A8h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp], ebp 0x0000001c jmp 00007FE418722673h 0x00000021 mov ebp, esp 0x00000023 jmp 00007FE418722676h 0x00000028 and esp, FFFFFFF8h 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FE41872266Eh 0x00000032 add si, 3028h 0x00000037 jmp 00007FE41872266Bh 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007FE418722678h 0x00000043 adc ecx, 3BDEE288h 0x00000049 jmp 00007FE41872266Bh 0x0000004e popfd 0x0000004f popad 0x00000050 xchg eax, ecx 0x00000051 jmp 00007FE418722676h 0x00000056 push eax 0x00000057 pushad 0x00000058 push edi 0x00000059 pop edi 0x0000005a pushfd 0x0000005b jmp 00007FE418722678h 0x00000060 and ch, 00000048h 0x00000063 jmp 00007FE41872266Bh 0x00000068 popfd 0x00000069 popad 0x0000006a xchg eax, ecx 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e pushfd 0x0000006f jmp 00007FE418722672h 0x00000074 adc al, FFFFFFA8h 0x00000077 jmp 00007FE41872266Bh 0x0000007c popfd 0x0000007d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 542018C second address: 5420196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 mov ebx, eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5420196 second address: 54201F8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE41872266Eh 0x00000008 adc cx, 8C08h 0x0000000d jmp 00007FE41872266Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebx 0x00000017 jmp 00007FE418722676h 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FE41872266Ch 0x00000026 sbb ecx, 71428198h 0x0000002c jmp 00007FE41872266Bh 0x00000031 popfd 0x00000032 mov dl, cl 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54201F8 second address: 5420286 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596852h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FE419596850h 0x0000000f mov ebx, dword ptr [ebp+10h] 0x00000012 jmp 00007FE419596850h 0x00000017 xchg eax, esi 0x00000018 jmp 00007FE419596850h 0x0000001d push eax 0x0000001e pushad 0x0000001f push ebx 0x00000020 pushad 0x00000021 popad 0x00000022 pop esi 0x00000023 movsx ebx, cx 0x00000026 popad 0x00000027 xchg eax, esi 0x00000028 jmp 00007FE419596852h 0x0000002d mov esi, dword ptr [ebp+08h] 0x00000030 jmp 00007FE419596850h 0x00000035 xchg eax, edi 0x00000036 pushad 0x00000037 mov ax, 3BADh 0x0000003b mov ch, E5h 0x0000003d popad 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 mov ecx, edx 0x00000044 movsx ebx, si 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5420286 second address: 54202D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE41872266Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FE418722674h 0x00000011 jmp 00007FE418722675h 0x00000016 popfd 0x00000017 mov ebx, eax 0x00000019 popad 0x0000001a test esi, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ecx, ebx 0x00000021 mov si, dx 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54202D4 second address: 54202DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54202DA second address: 54202DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54202DE second address: 542031B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FE48B904B75h 0x0000000e jmp 00007FE419596852h 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a pushad 0x0000001b mov dl, ch 0x0000001d push edi 0x0000001e mov edx, esi 0x00000020 pop eax 0x00000021 popad 0x00000022 je 00007FE48B904B64h 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b movzx esi, dx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 542031B second address: 5420320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5420320 second address: 54203D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596852h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c pushad 0x0000000d mov cl, DEh 0x0000000f mov cx, dx 0x00000012 popad 0x00000013 or edx, dword ptr [ebp+0Ch] 0x00000016 jmp 00007FE419596855h 0x0000001b test edx, 61000000h 0x00000021 jmp 00007FE41959684Eh 0x00000026 jne 00007FE48B904B62h 0x0000002c jmp 00007FE419596850h 0x00000031 test byte ptr [esi+48h], 00000001h 0x00000035 pushad 0x00000036 mov edx, eax 0x00000038 pushfd 0x00000039 jmp 00007FE41959684Ah 0x0000003e and ecx, 6AA9DE18h 0x00000044 jmp 00007FE41959684Bh 0x00000049 popfd 0x0000004a popad 0x0000004b jne 00007FE48B904B40h 0x00000051 jmp 00007FE419596856h 0x00000056 test bl, 00000007h 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FE41959684Ah 0x00000062 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54203D4 second address: 54203DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54203DA second address: 54203E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54203E0 second address: 54203E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 543003B second address: 5430071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596851h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE41959684Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FE41959684Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430071 second address: 5430075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430075 second address: 543007B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 543007B second address: 5430092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE418722673h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430092 second address: 5430130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596859h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE41959684Ch 0x00000013 jmp 00007FE419596855h 0x00000018 popfd 0x00000019 jmp 00007FE419596850h 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 pushad 0x00000023 movzx esi, di 0x00000026 popad 0x00000027 jmp 00007FE419596855h 0x0000002c popad 0x0000002d and esp, FFFFFFF8h 0x00000030 pushad 0x00000031 mov ecx, edx 0x00000033 popad 0x00000034 push esp 0x00000035 jmp 00007FE419596852h 0x0000003a mov dword ptr [esp], ebx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FE41959684Ah 0x00000046 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430130 second address: 5430134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430134 second address: 543013A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 543013A second address: 5430157 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE41872266Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov dx, 35DEh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430157 second address: 5430166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE41959684Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430166 second address: 5430175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430175 second address: 5430179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430179 second address: 543017F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 543017F second address: 5430217 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edi 0x00000005 jmp 00007FE419596852h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FE41959684Eh 0x00000015 sub ecx, 35BCD838h 0x0000001b jmp 00007FE41959684Bh 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007FE419596858h 0x00000027 sub cl, FFFFFF98h 0x0000002a jmp 00007FE41959684Bh 0x0000002f popfd 0x00000030 popad 0x00000031 mov esi, dword ptr [ebp+08h] 0x00000034 jmp 00007FE419596856h 0x00000039 sub ebx, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FE419596853h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430217 second address: 543021D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430367 second address: 543038D instructions: 0x00000000 rdtsc 0x00000002 mov dx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushfd 0x0000000a jmp 00007FE41959684Ah 0x0000000f or ecx, 3BC11988h 0x00000015 jmp 00007FE41959684Bh 0x0000001a popfd 0x0000001b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 543038D second address: 5430398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430398 second address: 543039D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 543039D second address: 5430413 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov edi, 04E7FBE8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e jmp 00007FE418722677h 0x00000013 xchg eax, ebx 0x00000014 jmp 00007FE418722676h 0x00000019 push eax 0x0000001a pushad 0x0000001b movsx edi, ax 0x0000001e mov bh, al 0x00000020 popad 0x00000021 xchg eax, ebx 0x00000022 jmp 00007FE418722675h 0x00000027 push dword ptr [ebp+14h] 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d jmp 00007FE418722673h 0x00000032 pushad 0x00000033 popad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 543045D second address: 5430463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430463 second address: 5430467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430467 second address: 543046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 543046B second address: 54304A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jmp 00007FE418722677h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE418722675h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54304A3 second address: 54304D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596851h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE419596858h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54304D6 second address: 54304E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE41872266Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491884 second address: 5491888 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491888 second address: 549188E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 549188E second address: 5491894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491894 second address: 5491898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491898 second address: 54918DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FE419596850h 0x00000011 pop esi 0x00000012 pushfd 0x00000013 jmp 00007FE41959684Bh 0x00000018 adc ch, 0000005Eh 0x0000001b jmp 00007FE419596859h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54918DF second address: 549192D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE418722677h 0x00000008 pushfd 0x00000009 jmp 00007FE418722678h 0x0000000e and cx, E4B8h 0x00000013 jmp 00007FE41872266Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 549192D second address: 5491931 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491931 second address: 5491937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491937 second address: 549193C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 549193C second address: 549197F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FE41872266Ch 0x00000012 and cx, 7E48h 0x00000017 jmp 00007FE41872266Bh 0x0000001c popfd 0x0000001d jmp 00007FE418722678h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 549197F second address: 5491998 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE41959684Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 0000007Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491998 second address: 549199E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 549199E second address: 54919E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596854h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 00000001h 0x0000000d pushad 0x0000000e mov bx, si 0x00000011 pushfd 0x00000012 jmp 00007FE41959684Ah 0x00000017 add ax, 5568h 0x0000001c jmp 00007FE41959684Bh 0x00000021 popfd 0x00000022 popad 0x00000023 push dword ptr [ebp+08h] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov edx, 41E1ECD6h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54919E8 second address: 54919ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54919ED second address: 5491A0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE419596859h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491A0A second address: 5491A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491A64 second address: 5491884 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596853h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a retn 0004h 0x0000000d lea eax, dword ptr [ebp-10h] 0x00000010 push eax 0x00000011 call ebx 0x00000013 mov edi, edi 0x00000015 jmp 00007FE419596851h 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FE419596858h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 545087B second address: 5450881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450881 second address: 5450885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5450885 second address: 54508ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418722674h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE41872266Eh 0x00000013 or cx, 0068h 0x00000018 jmp 00007FE41872266Bh 0x0000001d popfd 0x0000001e mov esi, 11F0865Fh 0x00000023 popad 0x00000024 push eax 0x00000025 jmp 00007FE418722675h 0x0000002a xchg eax, ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FE41872266Dh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54508ED second address: 54508F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54508F3 second address: 54508F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54508F7 second address: 54508FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54508FB second address: 5450919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE418722672h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430725 second address: 5430734 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE41959684Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430734 second address: 543073A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 543073A second address: 5430758 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FE41959684Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5430758 second address: 543075E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 543075E second address: 543076D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE41959684Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491EBB second address: 5491EC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491EC1 second address: 5491EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491EC5 second address: 5491EDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE41872266Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491EDD second address: 5491EE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 5491EE3 second address: 5491F2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418722673h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FE418722676h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FE418722677h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B0419 second address: 54B0431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE419596854h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B0431 second address: 54B0490 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE41872266Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FE418722676h 0x00000011 push eax 0x00000012 pushad 0x00000013 mov edx, 2C388154h 0x00000018 pushfd 0x00000019 jmp 00007FE41872266Dh 0x0000001e add ah, 00000016h 0x00000021 jmp 00007FE418722671h 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov edi, 21C2689Eh 0x00000031 push ebx 0x00000032 pop esi 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B0490 second address: 54B04D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE41959684Eh 0x00000009 sub ax, 7768h 0x0000000e jmp 00007FE41959684Bh 0x00000013 popfd 0x00000014 mov ax, 095Fh 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e movzx eax, di 0x00000021 movsx ebx, ax 0x00000024 popad 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FE41959684Bh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B04D2 second address: 54B04D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B0106 second address: 54B0116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE41959684Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B0116 second address: 54B011A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B011A second address: 54B0144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b mov al, dl 0x0000000d pop esi 0x0000000e jmp 00007FE419596855h 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B0144 second address: 54B014B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B014B second address: 54B017E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596854h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE419596857h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B017E second address: 54B0190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B0190 second address: 54B0194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B0194 second address: 54B01AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418722675h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B01AD second address: 54B01CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE419596851h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B01CB second address: 54B01CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B01CF second address: 54B01D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B01D5 second address: 54B020B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE418722672h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FE418722669h 0x0000000e jmp 00007FE418722670h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B020B second address: 54B020F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B020F second address: 54B0215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B0215 second address: 54B0254 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE41959684Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FE419596852h 0x00000016 add al, 00000068h 0x00000019 jmp 00007FE41959684Bh 0x0000001e popfd 0x0000001f push eax 0x00000020 pop ebx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B0254 second address: 54B02E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE41872266Bh 0x00000009 xor ch, FFFFFFAEh 0x0000000c jmp 00007FE418722679h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [eax] 0x00000019 jmp 00007FE418722677h 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FE41872266Fh 0x00000029 and cx, 276Eh 0x0000002e jmp 00007FE418722679h 0x00000033 popfd 0x00000034 mov si, 18F7h 0x00000038 popad 0x00000039 pop eax 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d mov di, 8FDAh 0x00000041 movsx ebx, si 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B02E3 second address: 54B02E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe RDTSC instruction interceptor: First address: 54B02E9 second address: 54B02ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Special instruction interceptor: First address: A8AB07 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Special instruction interceptor: First address: C28B26 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Special instruction interceptor: First address: C4D782 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 57AB07 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 718B26 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 73D782 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: E7AB07 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 1018B26 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 103D782 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_053B0B16 rdtsc 0_2_053B0B16
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Window / User API: threadDelayed 1340 Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Window / User API: threadDelayed 1378 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 360 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 2092 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 947 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 355 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 787 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1012 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 912 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 941 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 866 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 4444
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 364
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 4177
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe TID: 4244 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe TID: 4244 Thread sleep time: -86043s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe TID: 3424 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe TID: 3424 Thread sleep time: -80040s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe TID: 6352 Thread sleep count: 124 > 30 Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe TID: 2712 Thread sleep count: 1340 > 30 Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe TID: 2712 Thread sleep time: -2681340s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe TID: 6352 Thread sleep count: 70 > 30 Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe TID: 6352 Thread sleep count: 334 > 30 Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe TID: 6352 Thread sleep time: -33734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe TID: 6900 Thread sleep count: 1378 > 30 Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe TID: 6900 Thread sleep time: -2757378s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7716 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7716 Thread sleep time: -62031s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7720 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7720 Thread sleep time: -78039s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7800 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7484 Thread sleep count: 123 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7724 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7724 Thread sleep time: -64032s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7484 Thread sleep count: 360 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7484 Thread sleep time: -36360s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7700 Thread sleep count: 2092 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7700 Thread sleep time: -4186092s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7728 Thread sleep count: 947 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7728 Thread sleep time: -1894947s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7632 Thread sleep count: 355 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7632 Thread sleep time: -710355s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7608 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7608 Thread sleep time: -86043s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7804 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7520 Thread sleep count: 119 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7520 Thread sleep count: 337 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7520 Thread sleep time: -34037s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7612 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7612 Thread sleep time: -76038s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7604 Thread sleep count: 787 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7604 Thread sleep time: -1574787s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7624 Thread sleep count: 1012 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7624 Thread sleep time: -2025012s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7628 Thread sleep count: 912 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7628 Thread sleep time: -1824912s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7616 Thread sleep count: 941 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7616 Thread sleep time: -1882941s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7620 Thread sleep count: 866 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7620 Thread sleep time: -1732866s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8028 Thread sleep count: 64 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8028 Thread sleep time: -128064s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8032 Thread sleep count: 55 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8032 Thread sleep time: -110055s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8020 Thread sleep count: 4444 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8020 Thread sleep time: -8892444s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8000 Thread sleep count: 364 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8000 Thread sleep time: -36764s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8016 Thread sleep count: 4177 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8016 Thread sleep time: -8358177s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8040 Thread sleep count: 56 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8040 Thread sleep time: -112056s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8024 Thread sleep count: 70 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8024 Thread sleep time: -140070s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7928 Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7928 Thread sleep time: -68034s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7932 Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7932 Thread sleep time: -64032s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6912 Thread sleep count: 40 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6336 Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6336 Thread sleep time: -70035s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6912 Thread sleep count: 284 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7924 Thread sleep time: -50025s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6240 Thread sleep time: -56028s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7920 Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7920 Thread sleep time: -62031s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7844 Thread sleep time: -58029s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_0095A160 GetFileAttributesA,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error, 0_2_0095A160
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00A2C7AB FindFirstFileExW, 0_2_00A2C7AB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_00460060 FindFirstFileA,FindNextFileA, 16_2_00460060
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0044A160 GetFileAttributesA,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error, 16_2_0044A160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0051C7AB FindFirstFileExW, 16_2_0051C7AB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_00460060 FindFirstFileA,FindNextFileA, 17_2_00460060
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0044A160 GetFileAttributesA,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error, 17_2_0044A160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0051C7AB FindFirstFileExW, 17_2_0051C7AB
Source: RageMP131.exe, 00000018.00000003.1981671193.0000000005D35000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_995F9B50*
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*H
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492(
Source: RageMP131.exe, 00000014.00000002.2137292986.0000000001650000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000ts
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: MPGPH131.exe, 00000011.00000002.2182717521.00000000010FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWk
Source: MPGPH131.exe, 00000010.00000002.2213933698.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}lt_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT087cq/n0b4cx5g+QK3FvYl+MX
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ra Change Transaction PasswordVMware20,11696492231
Source: RageMP131.exe, 00000018.00000003.1970677593.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ebrokers.co.inVMware20,11696492231d
Source: MPGPH131.exe, 00000011.00000002.2182717521.00000000010BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.34.dr Binary or memory string: vmci.sys
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: global block list test formVMware20,11696492231
Source: RageMP131.exe, 00000014.00000003.1970912502.000000000625B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169649223k&
Source: MPGPH131.exe, 00000010.00000002.2213933698.0000000005D18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/wrKNvcORbG/KSWVvNwqcadPG/rBk5nhFCz9F9cp+/CMHi7mq9YYM5j84uMvd6w+fPhfuYEPH+AG3nz75g17/+byAqZfX1+/BSx8e7nn//M1LR37RXfJjUu4+O68wH9inPxOtLvEgV7JTJgqeOjw09V/ONcYNa/tCunX5+9i8NNeIRX8UQvv0A6e8fYKvoX+p9usm9y6851+d3X1G46QXUuIg9e/fYNyyi3IKFgXJhuQHnx9JtDT5xO9vKDYf/fYcOwrxxO2mZBbWXHLUNgWuPF8QMP1VgXXS2j0csH2J7j8d/6EMsSQQvtY2fiVZeNUFpQLdSDNiLDCpcFZuOuNFM1lyEPrDOy5V2Pa8Isvw/LQGWy9R4ULvMfWYFvV0pYBQeDge72VUXcJl04M269Z3eWD9Sui2vKEVsaNepEriwTxFejIdvTsMugAOolX1nXEZWKcpJz6vK52fbqEdOY48A4EMW4Z6n3iyc8EHhj5GqYuhITlZQw76pB7jxJm6hNmvaExg6GNfuSV9kA6eQ7Qot5IzdGd6UgLQLgcsIJ1gKiAQAMC0I8tBeYHC78CAfV7kFS/vBbMyO/PNHwaYEVSvZ/8zPimfz+UHb+cZf6enj+9Ffjxg69PAwJrWoabxr8FZnT71RBfMpLf/j9Hxg1E4hUBAA==
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: comVMware20,11696492231o
Source: RageMP131.exe, 00000014.00000003.1967668419.000000000625B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: billing_address_id.comVMware20,11696492
Source: RageMP131.exe, 00000014.00000002.2137292986.0000000001713000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_995F9B50*
Source: RageMP131.exe, 00000018.00000003.1970677593.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .utiitsl.comVMware20,11696492238
Source: Amcache.hve.34.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.34.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: RageMP131.exe, 00000014.00000003.1967668419.000000000625B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .comVMware20,11696492
Source: Amcache.hve.34.dr Binary or memory string: VMware Virtual RAM
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696492231
Source: RageMP131.exe, 00000014.00000003.1396822392.00000000016A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}q
Source: Amcache.hve.34.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW}
Source: RageMP131.exe, 00000018.00000003.1475893699.00000000009FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}t
Source: Amcache.hve.34.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: MPGPH131.exe, MPGPH131.exe, 00000011.00000002.2179700317.00000000006F7000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000014.00000002.2132704164.0000000000FF7000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000018.00000002.2149542475.0000000000FF7000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.34.dr Binary or memory string: VMware Virtual USB Mouse
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696492231
Source: RageMP131.exe, 00000018.00000003.1981671193.0000000005D35000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: RageMP131.exe, 00000014.00000003.1967668419.000000000625B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nickname.utiitsl.comVMware20,1169649223
Source: Amcache.hve.34.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWr'
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\User Data\Default\Local Storage\leveldb\000003.logj
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: formVMware20,11696492231
Source: jUlAlD6KHz.exe, 00000000.00000003.1289337896.00000000014DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}T
Source: Amcache.hve.34.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RageMP131.exe, 00000014.00000003.1970912502.000000000625B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r global passwords blocklistVMware20,11696492231
Source: RageMP131.exe, 00000014.00000003.1967668419.000000000625B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696(h&
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.34.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.34.dr Binary or memory string: \driver\vmci,\driver\pci
Source: RageMP131.exe, 00000018.00000003.1970677593.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nickname.utiitsl.comVMware20,11696492238
Source: RageMP131.exe, 00000014.00000002.2137292986.000000000171E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}fox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: RageMP131.exe, 00000014.00000003.1970912502.000000000625B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169649223
Source: MPGPH131.exe, 00000011.00000002.2182717521.00000000010FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\User Data\Default\Local Storage\leveldb\000003.logC
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696492231
Source: jUlAlD6KHz.exe, 00000000.00000002.2132570020.0000000000C07000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000010.00000002.2203265512.00000000006F7000.00000040.00000001.01000000.00000006.sdmp, MPGPH131.exe, 00000011.00000002.2179700317.00000000006F7000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000014.00000002.2132704164.0000000000FF7000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000018.00000002.2149542475.0000000000FF7000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&v
Source: Amcache.hve.34.dr Binary or memory string: VMware
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: o.inVMware20,11696492231~
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: outlook.office.comVMware20,11696492231s
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: AMC password management pageVMware20,11696492231
Source: RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\User Data\WorkspacesNavigationComponent\Network\*
Source: RageMP131.exe, 00000018.00000003.1970677593.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696H
Source: Amcache.hve.34.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pageformVMware20,11696492231
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, jUlAlD6KHz.exe, 00000000.00000003.1893108875.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2204526510.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2182717521.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000011.00000002.2182717521.00000000010BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2137292986.000000000165E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: jUlAlD6KHz.exe, 00000000.00000003.2003869345.00000000063A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ta=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user~1\AppData\Local\TempTMP=C:\Users\user~1\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows||
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: MPGPH131.exe, 00000011.00000003.1332027869.00000000010CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: RageMP131.exe, 00000014.00000003.1970912502.000000000625B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696xb&
Source: Amcache.hve.34.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: discord.comVMware20,11696492231f
Source: RageMP131.exe, 00000018.00000003.1970677593.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: billing_address_id.comVMware20,11696492(
Source: RageMP131.exe, 00000018.00000003.1981671193.0000000005D35000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_995F9B50
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnI_
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169649223
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\User Data\Default\Local Storage\leveldb\000003.log
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\**
Source: RageMP131.exe, 00000018.00000003.1475893699.00000000009FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}]
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.34.dr Binary or memory string: VMware20,1
Source: Amcache.hve.34.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.34.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.34.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.34.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}V
Source: Amcache.hve.34.dr Binary or memory string: VMware VMCI Bus Device
Source: RageMP131.exe, 00000014.00000002.2137292986.000000000171E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\User Data\efbglgofoippbgcjepnhiblaibcnclgk\CURRENTN
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Amcache.hve.34.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&2
Source: RageMP131.exe, 00000018.00000003.1970677593.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s.portal.azure.comVMware20,11696492231
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ccount.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.34.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.34.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.34.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.34.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.34.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RageMP131.exe, 00000018.00000002.2146898769.00000000009F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}u
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\User Data\igkpcodhieompeloncfnbekccinhapdb\CURRENT
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: RageMP131.exe, 00000014.00000002.2137292986.00000000016A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}p
Source: Amcache.hve.34.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: jUlAlD6KHz.exe, 00000000.00000003.1289337896.00000000014DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}k
Source: RageMP131.exe, 00000014.00000002.2137292986.0000000001713000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_995F9B50
Source: RageMP131.exe, 00000018.00000002.2146898769.00000000009E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&V
Source: MPGPH131.exe, 00000011.00000002.2182717521.00000000010CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SIk&Ven_VMware&Prod_Vidi&1656f219&0&000000#{07f-11d0-94f2-00a0c91e
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: dev.azure.comVMware20,11696492231j
Source: RageMP131.exe, 00000018.00000003.1976842354.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rootpagecomVMware20,11696492231o
Source: RageMP131.exe, 00000014.00000002.2137292986.000000000169A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000s\user~1\AppData\Local\TempS
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: RageMP131.exe, 00000014.00000003.1967668419.000000000625B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .utiitsl.comVMware20,1169649223
Source: Amcache.hve.34.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.34.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RageMP131.exe, 00000018.00000003.1970677593.0000000005D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .comVMware20,11696492(
Source: RageMP131.exe, 00000014.00000002.2137292986.00000000016BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: DfTWXkt7bFHWWeb Data.24.dr Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_053B0E23 Start: 053B0E3B End: 053B0E37 0_2_053B0E23
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_04F70433 Start: 04F706E3 End: 04F7046B 17_2_04F70433
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_04F70A26 Start: 04F70E1B End: 04F709F0 17_2_04F70A26
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_04FC0DB2 Start: 04FC0F03 End: 04FC0DC9 17_2_04FC0DB2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_04FC0792 Start: 04FC0ACA End: 04FC07A5 17_2_04FC0792
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_05020300 Start: 0502043F End: 050202D2 17_2_05020300
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_053B0B16 rdtsc 0_2_053B0B16
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009B3320 mov eax, dword ptr fs:[00000030h] 0_2_009B3320
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_009B3320 mov eax, dword ptr fs:[00000030h] 0_2_009B3320
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00963F10 mov eax, dword ptr fs:[00000030h] 0_2_00963F10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004A3320 mov eax, dword ptr fs:[00000030h] 16_2_004A3320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_004A3320 mov eax, dword ptr fs:[00000030h] 16_2_004A3320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 16_2_0045F3B0 mov eax, dword ptr fs:[00000030h] 16_2_0045F3B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004A3320 mov eax, dword ptr fs:[00000030h] 17_2_004A3320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_004A3320 mov eax, dword ptr fs:[00000030h] 17_2_004A3320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 17_2_0045F3B0 mov eax, dword ptr fs:[00000030h] 17_2_0045F3B0

HIPS / PFW / Operating System Protection Evasion
barindex
Disables Windows Defender (deletes autostart)
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{0C52D293-93AF-4DB3-8012-32E2FB2DAC51}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{796A6376-0454-455F-AACF-D926BD4DD768}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{642526A1-CA57-422E-8196-D9D6C17E634B}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware Jump to behavior
Source: jUlAlD6KHz.exe, jUlAlD6KHz.exe, 00000000.00000002.2132570020.0000000000C07000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, 00000018.00000002.2149542475.0000000000FF7000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Program Manager
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Code function: 0_2_00A2DE2D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00A2DE2D
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender real time protection (registry)
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{0C52D293-93AF-4DB3-8012-32E2FB2DAC51}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Registry value created: Exclusions_Extensions 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{0C52D293-93AF-4DB3-8012-32E2FB2DAC51}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableAntiSpyware 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{0C52D293-93AF-4DB3-8012-32E2FB2DAC51}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableRoutinelyTakingAction 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{0C52D293-93AF-4DB3-8012-32E2FB2DAC51}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableBehaviorMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{0C52D293-93AF-4DB3-8012-32E2FB2DAC51}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableOnAccessProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{0C52D293-93AF-4DB3-8012-32E2FB2DAC51}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableScanOnRealtimeEnable 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{0C52D293-93AF-4DB3-8012-32E2FB2DAC51}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{0C52D293-93AF-4DB3-8012-32E2FB2DAC51}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{0C52D293-93AF-4DB3-8012-32E2FB2DAC51}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRawWriteNotification 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{796A6376-0454-455F-AACF-D926BD4DD768}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableAntiSpyware 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{796A6376-0454-455F-AACF-D926BD4DD768}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableRoutinelyTakingAction 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{796A6376-0454-455F-AACF-D926BD4DD768}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Registry value created: Exclusions_Extensions 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{796A6376-0454-455F-AACF-D926BD4DD768}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableBehaviorMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{796A6376-0454-455F-AACF-D926BD4DD768}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableOnAccessProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{796A6376-0454-455F-AACF-D926BD4DD768}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableScanOnRealtimeEnable 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{796A6376-0454-455F-AACF-D926BD4DD768}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{796A6376-0454-455F-AACF-D926BD4DD768}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{796A6376-0454-455F-AACF-D926BD4DD768}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRawWriteNotification 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{642526A1-CA57-422E-8196-D9D6C17E634B}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableAntiSpyware 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{642526A1-CA57-422E-8196-D9D6C17E634B}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableRoutinelyTakingAction 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{642526A1-CA57-422E-8196-D9D6C17E634B}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Registry value created: Exclusions_Extensions 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{642526A1-CA57-422E-8196-D9D6C17E634B}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableBehaviorMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{642526A1-CA57-422E-8196-D9D6C17E634B}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableOnAccessProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{642526A1-CA57-422E-8196-D9D6C17E634B}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableScanOnRealtimeEnable 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{642526A1-CA57-422E-8196-D9D6C17E634B}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{642526A1-CA57-422E-8196-D9D6C17E634B}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{642526A1-CA57-422E-8196-D9D6C17E634B}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRawWriteNotification 1 Jump to behavior
Exclude list of file types from scheduled, custom, and real-time scanning
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Registry value created: Exclusions_Extensions 1 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry value created: Exclusions_Extensions 1 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry value created: Exclusions_Extensions 1 Jump to behavior
Modifies Group Policy settings
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File written: C:\Windows\System32\GroupPolicy\GPT.INI Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.34.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.34.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.34.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.34.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.34.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000011.00000003.2157408474.0000000001145000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2137292986.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2136263704.0000000001543000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2155476690.0000000005D3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2204526510.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2150286222.0000000006210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2183337078.0000000001145000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2204526510.0000000000E1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2136263704.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2150286222.0000000006246000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2146898769.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2182717521.000000000108A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jUlAlD6KHz.exe PID: 5440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 3964, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ZC9N6dBzS5ZEt9m1PmZDOPh.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\VKmo9cHGC7A78S8pIPnaIQM.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\q54ck9WjU916t0raHCeE5cn.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\lj9CfpGnnFdMRw3dXDPtKQ6.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\onJm2E6cdj2U7BbKnzc2Vlq.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ppData\Roaming\Electrum-LTC\wallets
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local StoragesO
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.000000000148E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\Cookiesv
Source: MPGPH131.exe, 00000011.00000002.2183337078.0000000001160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: MPGPH131.exe, 00000011.00000002.2183337078.0000000001160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: MPGPH131.exe, 00000011.00000002.2183337078.0000000001160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ppData\Local\Coinomi\Coinomi\wallets
Source: MPGPH131.exe, 00000010.00000002.2204526510.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: jUlAlD6KHz.exe, 00000000.00000002.2136263704.00000000014DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger LiveO`
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Steals Internet Explorer cookies
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File read: C:\Users\user\AppData\Local\Temp\adobeMmbmgxZ09AYO\Cookies\Chrome_Default.txt Jump to behavior
Source: C:\Users\user\Desktop\jUlAlD6KHz.exe File read: C:\Users\user\AppData\Local\Temp\adobejf0rU8GsOA8H\Cookies\Chrome_Default.txt Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File read: C:\Users\user\AppData\Local\Temp\adobe4u3PTYpFoae8\Cookies\Chrome_Default.txt
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File read: C:\Users\user\AppData\Local\Temp\adobeeh7qkfi3FIF_\Cookies\Chrome_Default.txt Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File read: C:\Users\user\AppData\Local\Temp\adobesP7Gsngn4GEq\Cookies\Chrome_Default.txt
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2146898769.0000000000A0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jUlAlD6KHz.exe PID: 5440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 3964, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000011.00000003.2157408474.0000000001145000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2137292986.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2136263704.0000000001543000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2155476690.0000000005D3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2204526510.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2150286222.0000000006210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2183337078.0000000001145000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2204526510.0000000000E1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2136263704.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2136263704.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2150286222.0000000006246000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2146898769.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2182717521.000000000108A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jUlAlD6KHz.exe PID: 5440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 3964, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ZC9N6dBzS5ZEt9m1PmZDOPh.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\VKmo9cHGC7A78S8pIPnaIQM.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\q54ck9WjU916t0raHCeE5cn.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\lj9CfpGnnFdMRw3dXDPtKQ6.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\onJm2E6cdj2U7BbKnzc2Vlq.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417236 Sample: jUlAlD6KHz.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 53 ipinfo.io 2->53 55 db-ip.com 2->55 65 Snort IDS alert for network traffic 2->65 67 Antivirus detection for URL or domain 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 5 other signatures 2->71 8 jUlAlD6KHz.exe 11 68 2->8         started        13 MPGPH131.exe 10 56 2->13         started        15 RageMP131.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 57 193.233.132.74, 49700, 49703, 49704 FREE-NET-ASFREEnetEU Russian Federation 8->57 59 ipinfo.io 34.117.186.192, 443, 49701, 49705 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->59 61 db-ip.com 104.26.5.15, 443, 49702 CLOUDFLARENETUS United States 8->61 37 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->37 dropped 39 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->39 dropped 41 C:\Windows\System32behaviorgraphroupPolicybehaviorgraphPT.INI, ASCII 8->41 dropped 43 C:\Users\user\...\ZC9N6dBzS5ZEt9m1PmZDOPh.zip, Zip 8->43 dropped 73 Detected unpacking (changes PE section rights) 8->73 75 Tries to steal Mail credentials (via file / registry access) 8->75 77 Found many strings related to Crypto-Wallets (likely being stolen) 8->77 97 9 other signatures 8->97 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 8->23         started        63 172.67.75.166, 443, 49707, 49708 CLOUDFLARENETUS United States 13->63 45 C:\Users\user\...\onJm2E6cdj2U7BbKnzc2Vlq.zip, Zip 13->45 dropped 79 Antivirus detection for dropped file 13->79 81 Multi AV Scanner detection for dropped file 13->81 83 Machine Learning detection for dropped file 13->83 25 WerFault.exe 13->25         started        47 C:\Users\user\...\VKmo9cHGC7A78S8pIPnaIQM.zip, Zip 15->47 dropped 85 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->85 87 Tries to harvest and steal browser information (history, passwords, etc) 15->87 89 Tries to evade debugger and weak emulator (self modifying code) 15->89 27 WerFault.exe 15->27         started        49 C:\Users\user\...\q54ck9WjU916t0raHCeE5cn.zip, Zip 17->49 dropped 51 C:\Users\user\...\lj9CfpGnnFdMRw3dXDPtKQ6.zip, Zip 17->51 dropped 91 Disables Windows Defender (deletes autostart) 17->91 93 Exclude list of file types from scheduled, custom, and real-time scanning 17->93 95 Adds extensions / path to Windows Defender exclusion list (Registry) 17->95 29 WerFault.exe 17->29         started        31 WerFault.exe 17->31         started        file6 signatures7 process8 process9 33 conhost.exe 19->33         started        35 conhost.exe 21->35         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
172.67.75.166
 unknown United States
13335 CLOUDFLARENETUS false
193.233.132.74
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://db-ip.com/demo/home.php?s=102.165.48.43 false
    		high
    https://ipinfo.io/widget/demo/102.165.48.43 false
      		high