Edit tour

Windows Analysis Report
90ZF1EDs9h.exe

Overview

General Information

Sample name:	90ZF1EDs9h.exe renamed because original name is a hash value
Original sample name:	9437d6cf2745f8683c3aa908e01b03cf.exe
Analysis ID:	1461305
MD5:	9437d6cf2745f8683c3aa908e01b03cf
SHA1:	4b954d00882c8249d11b61440976b2993ae4738a
SHA256:	d3d0eeab1a06460ed303b065248db53d47bfd5c253324b0d2f9efcc2dc700a47
Tags:	32exetrojan
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

90ZF1EDs9h.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\90ZF1EDs9h.exe" MD5: 9437D6CF2745F8683C3AA908E01B03CF)

schtasks.exe (PID: 7452 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7500 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 7552 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 9437D6CF2745F8683C3AA908E01B03CF)

MPGPH131.exe (PID: 7560 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 9437D6CF2745F8683C3AA908E01B03CF)

RageMP131.exe (PID: 7872 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 9437D6CF2745F8683C3AA908E01B03CF)

RageMP131.exe (PID: 7132 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 9437D6CF2745F8683C3AA908E01B03CF)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: 90ZF1EDs9h.exe PID: 7300	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7552	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7560	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7872	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7132	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\90ZF1EDs9h.exe, ProcessId: 7300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/23/24-18:37:04.646362
SID:	2046269
Source Port:	49732
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/23/24-18:37:07.646023
SID:	2046269
Source Port:	49731
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/23/24-18:37:06.583631
SID:	2046269
Source Port:	49747
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/23/24-18:34:58.970157
SID:	2049060
Source Port:	49731
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:36.288691
SID:	2046267
Source Port:	58709
Destination Port:	49747
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/23/24-18:37:05.458696
SID:	2046269
Source Port:	49735
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:02.465607
SID:	2046266
Source Port:	58709
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:21.729696
SID:	2046266
Source Port:	58709
Destination Port:	49747
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:34:59.553336
SID:	2046266
Source Port:	58709
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:03.603959
SID:	2046266
Source Port:	58709
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/23/24-18:37:04.786800
SID:	2046269
Source Port:	49733
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:13.471006
SID:	2046266
Source Port:	58709
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:12.390867
SID:	2046267
Source Port:	58709
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:13.312009
SID:	2046267
Source Port:	58709
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:14.392680
SID:	2046267
Source Port:	58709
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-18:35:28.664022
SID:	2046267
Source Port:	58709
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 50%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 53%	Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Virustotal: Detection: 53%	Perma Link

Multi AV Scanner detection for submitted file

Source: 90ZF1EDs9h.exe

Virustotal: Detection: 53%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 90ZF1EDs9h.exe

Joe Sandbox ML: detected

Source: 90ZF1EDs9h.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49751 version: TLS 1.2

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49735
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49735 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49747
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49747 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49735
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49747

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 77.91.77.66:58709

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View	IP Address: 77.91.77.66 77.91.77.66

Source: Joe Sandbox View

ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Code function: 0_2_00049280 recv,WSASend,

0_2_00049280

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: 90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302053976.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319159509.0000000000E53000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E54000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: MPGPH131.exe, 00000005.00000002.2965341053.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33$
Source: MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302053976.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33S
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/l/.
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33J
Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.2964515667.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319200721.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/W&
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000E01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/alj
Source: 90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/s
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/tuO
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B86000.00000004.00000020.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: RageMP131.exe, 00000007.00000002.2965177153.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33#H
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33H
Source: MPGPH131.exe, 00000005.00000002.2965341053.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33q
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33~
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT8?
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTz
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro
Source: MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/riseproD
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/riseproF
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botA$
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botGc
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botSS
Source: RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botj/
Source: RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botp
Source: 90ZF1EDs9h.exe, 00000000.00000002.2975858179.0000000007720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.v
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49751 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 90ZF1EDs9h.exe	Static PE information: section name:
Source: 90ZF1EDs9h.exe	Static PE information: section name: .idata
Source: 90ZF1EDs9h.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_0007A928	0_2_0007A928
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_0007C960	0_2_0007C960
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_000771A0	0_2_000771A0
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_0008DA86	0_2_0008DA86
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_0008036F	0_2_0008036F
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_00098BB0	0_2_00098BB0
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_0012FC40	0_2_0012FC40
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_0006F580	0_2_0006F580
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_000947BF	0_2_000947BF
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_00132FD0	0_2_00132FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001CA928	5_2_001CA928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001CC960	5_2_001CC960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001C71A0	5_2_001C71A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001DDA86	5_2_001DDA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001D036F	5_2_001D036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001E8BB0	5_2_001E8BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0027FC40	5_2_0027FC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001BF580	5_2_001BF580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001E47BF	5_2_001E47BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00282FD0	5_2_00282FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001CA928	6_2_001CA928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001CC960	6_2_001CC960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001C71A0	6_2_001C71A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001DDA86	6_2_001DDA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001D036F	6_2_001D036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001E8BB0	6_2_001E8BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0027FC40	6_2_0027FC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001BF580	6_2_001BF580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001E47BF	6_2_001E47BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00282FD0	6_2_00282FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_0041C960	7_2_0041C960
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_0041A928	7_2_0041A928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_004171A0	7_2_004171A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_0042DA86	7_2_0042DA86
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_0042036F	7_2_0042036F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00438BB0	7_2_00438BB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_004CFC40	7_2_004CFC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_0040F580	7_2_0040F580
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00432610	7_2_00432610
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_004D2FD0	7_2_004D2FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_004347BF	7_2_004347BF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_0041C960	9_2_0041C960
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_0041A928	9_2_0041A928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_004171A0	9_2_004171A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_0042DA86	9_2_0042DA86
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_0042036F	9_2_0042036F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_00438BB0	9_2_00438BB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_004CFC40	9_2_004CFC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_0040F580	9_2_0040F580
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_00432610	9_2_00432610
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_004D2FD0	9_2_004D2FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_004347BF	9_2_004347BF

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 00414380 appears 48 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 001C4380 appears 48 times

Source: 90ZF1EDs9h.exe, 00000000.00000000.1647503267.00000000001CA000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs 90ZF1EDs9h.exe
Source: 90ZF1EDs9h.exe	Binary or memory string: OriginalFilenamedotnet.exe6 vs 90ZF1EDs9h.exe

Source: 90ZF1EDs9h.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 90ZF1EDs9h.exe	Static PE information: Section: ZLIB complexity 0.998056854470803
Source: 90ZF1EDs9h.exe	Static PE information: Section: pobzuwwq ZLIB complexity 0.9947049260853293
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.998056854470803
Source: RageMP131.exe.0.dr	Static PE information: Section: pobzuwwq ZLIB complexity 0.9947049260853293
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.998056854470803
Source: MPGPH131.exe.0.dr	Static PE information: Section: pobzuwwq ZLIB complexity 0.9947049260853293

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@2/3

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: 90ZF1EDs9h.exe

Virustotal: Detection: 53%

Source: 90ZF1EDs9h.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 90ZF1EDs9h.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

File read: C:\Users\user\Desktop\90ZF1EDs9h.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\90ZF1EDs9h.exe "C:\Users\user\Desktop\90ZF1EDs9h.exe"
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior

Source: 90ZF1EDs9h.exe

Static file information: File size 2432512 > 1048576

Source: 90ZF1EDs9h.exe

Static PE information: Raw size of pobzuwwq is bigger than: 0x100000 < 0x1a1800

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Unpacked PE file: 0.2.90ZF1EDs9h.exe.40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 5.2.MPGPH131.exe.190000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.190000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 7.2.RageMP131.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 9.2.RageMP131.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pobzuwwq:EW;bxltxemr:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x25d952 should be: 0x253833
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x25d952 should be: 0x253833
Source: 90ZF1EDs9h.exe	Static PE information: real checksum: 0x25d952 should be: 0x253833

Source: 90ZF1EDs9h.exe	Static PE information: section name:
Source: 90ZF1EDs9h.exe	Static PE information: section name: .idata
Source: 90ZF1EDs9h.exe	Static PE information: section name:
Source: 90ZF1EDs9h.exe	Static PE information: section name: pobzuwwq
Source: 90ZF1EDs9h.exe	Static PE information: section name: bxltxemr
Source: 90ZF1EDs9h.exe	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: pobzuwwq
Source: RageMP131.exe.0.dr	Static PE information: section name: bxltxemr
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: pobzuwwq
Source: MPGPH131.exe.0.dr	Static PE information: section name: bxltxemr
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_00073F59 push ecx; ret	0_2_00073F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001C3F59 push ecx; ret	5_2_001C3F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001C3F59 push ecx; ret	6_2_001C3F6C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00413F59 push ecx; ret	7_2_00413F6C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_04F808D0 push cs; iretd	7_2_04F808DA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_00413F59 push ecx; ret	9_2_00413F6C

Source: 90ZF1EDs9h.exe	Static PE information: section name: entropy: 7.980016205845924
Source: 90ZF1EDs9h.exe	Static PE information: section name: pobzuwwq entropy: 7.953477305499687
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.980016205845924
Source: RageMP131.exe.0.dr	Static PE information: section name: pobzuwwq entropy: 7.953477305499687
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.980016205845924
Source: MPGPH131.exe.0.dr	Static PE information: section name: pobzuwwq entropy: 7.953477305499687

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Stalling execution: Execution stalls by calling Sleep	graph_0-16297
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep	graph_5-18440
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Stalling execution: Execution stalls by calling Sleep

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 1D0B72 second address: 1D0B78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 1D0B78 second address: 1D0B7D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 338A6D second address: 338AB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB6h 0x00000007 jo 00007F7374772AA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jmp 00007F7374772AB1h 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jmp 00007F7374772AB5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3499FB second address: 3499FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C045 second address: 1D0B72 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7374772AA8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 2ED4FAD4h 0x00000013 or cl, FFFFFFF2h 0x00000016 push dword ptr [ebp+122D12B5h] 0x0000001c add dword ptr [ebp+122D2BC2h], edi 0x00000022 mov edi, dword ptr [ebp+122D3794h] 0x00000028 call dword ptr [ebp+122D1BF2h] 0x0000002e pushad 0x0000002f jnp 00007F7374772ABDh 0x00000035 jmp 00007F7374772AB7h 0x0000003a xor eax, eax 0x0000003c cmc 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 jmp 00007F7374772AB3h 0x00000046 mov dword ptr [ebp+122D38D4h], eax 0x0000004c mov dword ptr [ebp+122D19F2h], ecx 0x00000052 mov esi, 0000003Ch 0x00000057 add dword ptr [ebp+122D19F2h], eax 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 pushad 0x00000062 mov dword ptr [ebp+122D19F2h], esi 0x00000068 jg 00007F7374772AACh 0x0000006e popad 0x0000006f lodsw 0x00000071 jmp 00007F7374772AAAh 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a jne 00007F7374772AB8h 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 cld 0x00000085 nop 0x00000086 push eax 0x00000087 push edx 0x00000088 push eax 0x00000089 push edx 0x0000008a jmp 00007F7374772AB2h 0x0000008f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C1BC second address: 34C1E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F737512BAEAh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F737512BAF1h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C1E2 second address: 34C1EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F7374772AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C1EC second address: 34C226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edx, 6DE091C7h 0x00000011 push 00000000h 0x00000013 jl 00007F737512BAECh 0x00000019 mov dword ptr [ebp+122D1824h], eax 0x0000001f push 8D57C73Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 push edi 0x00000027 js 00007F737512BAE6h 0x0000002d pop edi 0x0000002e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C226 second address: 34C22C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C22C second address: 34C230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C230 second address: 34C234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C234 second address: 34C2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 72A83944h 0x0000000f jmp 00007F737512BAF6h 0x00000014 push 00000003h 0x00000016 mov dword ptr [ebp+122D18F7h], edx 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F737512BAE8h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000017h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 call 00007F737512BAEBh 0x0000003d sub dword ptr [ebp+122D2BB5h], edx 0x00000043 pop esi 0x00000044 push 00000003h 0x00000046 mov ecx, edx 0x00000048 call 00007F737512BAE9h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C2A6 second address: 34C2AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C2AA second address: 34C2C7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jp 00007F737512BAECh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C2C7 second address: 34C2CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C2CB second address: 34C2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d jbe 00007F737512BAE6h 0x00000013 jp 00007F737512BAE6h 0x00000019 popad 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C2E8 second address: 34C2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C2F6 second address: 34C3B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F737512BAF8h 0x00000012 pop eax 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F737512BAE8h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d call 00007F737512BAF6h 0x00000032 pushad 0x00000033 jnc 00007F737512BAE6h 0x00000039 pushad 0x0000003a popad 0x0000003b popad 0x0000003c pop edi 0x0000003d mov esi, 611F30B0h 0x00000042 lea ebx, dword ptr [ebp+1244EF7Ch] 0x00000048 push 00000000h 0x0000004a push eax 0x0000004b call 00007F737512BAE8h 0x00000050 pop eax 0x00000051 mov dword ptr [esp+04h], eax 0x00000055 add dword ptr [esp+04h], 00000016h 0x0000005d inc eax 0x0000005e push eax 0x0000005f ret 0x00000060 pop eax 0x00000061 ret 0x00000062 pushad 0x00000063 mov ecx, dword ptr [ebp+122D3828h] 0x00000069 mov ebx, dword ptr [ebp+122D3067h] 0x0000006f popad 0x00000070 sub dword ptr [ebp+122D1BB1h], ecx 0x00000076 xchg eax, ebx 0x00000077 jnl 00007F737512BAF2h 0x0000007d je 00007F737512BAECh 0x00000083 push eax 0x00000084 push edx 0x00000085 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C3B9 second address: 34C3CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7374772AAAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C3CB second address: 34C3CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C3CF second address: 34C3D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 34C3D9 second address: 34C3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36AC68 second address: 36AC94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7374772AA6h 0x0000000a jmp 00007F7374772AADh 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 jmp 00007F7374772AAAh 0x00000017 jl 00007F7374772AB2h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36B336 second address: 36B33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36B33C second address: 36B345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36B9BD second address: 36B9C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36B9C2 second address: 36B9D8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7374772AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F7374772AA6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36BB3C second address: 36BB76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F737512BAF1h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F737512BB01h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36C581 second address: 36C58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 36C58B second address: 36C59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F737512BAE6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 372EF1 second address: 372EF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 333AEC second address: 333AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAEDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 333AFD second address: 333B11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 373C96 second address: 373CB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F737512BAE8h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 374416 second address: 37441C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37441C second address: 374422 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37908C second address: 37909C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F7374772AA6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378771 second address: 378776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378776 second address: 37877C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37877C second address: 378780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378BDD second address: 378BE7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7374772AA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378ED4 second address: 378EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378EDD second address: 378EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378EE1 second address: 378EE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378EE5 second address: 378F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7374772AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AB1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 378F04 second address: 378F2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F737512BAE6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37AEE6 second address: 37AEFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007F7374772AA6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F7374772AA6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37AEFD second address: 37AF07 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37AF91 second address: 37AF9B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37AF9B second address: 37AFA0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37B0C4 second address: 37B0C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37B6C2 second address: 37B6C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37B6C8 second address: 37B6E8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7374772AA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F7374772AAFh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37C114 second address: 37C11D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37C19E second address: 37C1B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37C1B2 second address: 37C20A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F737512BAEBh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F737512BAE8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 xor dword ptr [ebp+122D18F7h], esi 0x0000002e jmp 00007F737512BAECh 0x00000033 or di, 3297h 0x00000038 push eax 0x00000039 jp 00007F737512BAEEh 0x0000003f push ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37C6A2 second address: 37C6A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37C6A8 second address: 37C6AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37D0A1 second address: 37D0A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37D0A5 second address: 37D0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37CF1B second address: 37CF21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37D0AB second address: 37D0C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37D0C5 second address: 37D157 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F7374772AA8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 movsx edi, bx 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebp 0x0000002c call 00007F7374772AA8h 0x00000031 pop ebp 0x00000032 mov dword ptr [esp+04h], ebp 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc ebp 0x0000003f push ebp 0x00000040 ret 0x00000041 pop ebp 0x00000042 ret 0x00000043 xor edi, dword ptr [ebp+122D3830h] 0x00000049 push 00000000h 0x0000004b jmp 00007F7374772AB0h 0x00000050 xchg eax, ebx 0x00000051 jl 00007F7374772AB7h 0x00000057 push eax 0x00000058 jnl 00007F7374772AAEh 0x0000005e push esi 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37ED09 second address: 37ED27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F737512BAF3h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37EAA6 second address: 37EAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37ED27 second address: 37EDC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F737512BAE8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push esi 0x00000026 add dword ptr [ebp+122D2BC7h], ecx 0x0000002c pop esi 0x0000002d mov dword ptr [ebp+122D2B0Fh], esi 0x00000033 push 00000000h 0x00000035 jnp 00007F737512BAECh 0x0000003b mov dword ptr [ebp+122D2F8Bh], edx 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push esi 0x00000046 call 00007F737512BAE8h 0x0000004b pop esi 0x0000004c mov dword ptr [esp+04h], esi 0x00000050 add dword ptr [esp+04h], 0000001Dh 0x00000058 inc esi 0x00000059 push esi 0x0000005a ret 0x0000005b pop esi 0x0000005c ret 0x0000005d mov edi, 1D3373FBh 0x00000062 xchg eax, ebx 0x00000063 jmp 00007F737512BAF3h 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F737512BAEAh 0x00000070 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37EAAA second address: 37EAAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37EAAE second address: 37EAB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37F82F second address: 37F833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37EAB4 second address: 37EABE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F737512BAE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37F5CE second address: 37F5D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37F833 second address: 37F877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a adc di, 9C7Ch 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F737512BAE8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov si, 2D54h 0x0000002f push 00000000h 0x00000031 xor edi, 5BA521C3h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jns 00007F737512BAE6h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 37F877 second address: 37F87D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3802C8 second address: 3802CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38005D second address: 380065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3802CC second address: 380314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F737512BAE8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov esi, dword ptr [ebp+1247D45Bh] 0x0000002a push 00000000h 0x0000002c mov si, dx 0x0000002f push 00000000h 0x00000031 mov di, dx 0x00000034 mov esi, dword ptr [ebp+122D38F4h] 0x0000003a push eax 0x0000003b jc 00007F737512BAF0h 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3817F0 second address: 38183E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnl 00007F7374772AB9h 0x0000000e nop 0x0000000f movsx edi, bx 0x00000012 push 00000000h 0x00000014 mov edi, dword ptr [ebp+122D392Ch] 0x0000001a push 00000000h 0x0000001c xchg eax, ebx 0x0000001d jmp 00007F7374772AB8h 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 380B3F second address: 380B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 380B48 second address: 380B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3820FF second address: 382103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38927A second address: 389282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 389282 second address: 389292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F737512BAE6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38753D second address: 387542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 389861 second address: 389866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38A850 second address: 38A86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jp 00007F7374772AA8h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 je 00007F7374772AACh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3899D4 second address: 389A87 instructions: 0x00000000 rdtsc 0x00000002 js 00007F737512BAE8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e jmp 00007F737512BAEEh 0x00000013 pop edi 0x00000014 nop 0x00000015 jmp 00007F737512BAF4h 0x0000001a push dword ptr fs:[00000000h] 0x00000021 jmp 00007F737512BAF5h 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d jmp 00007F737512BAF6h 0x00000032 mov eax, dword ptr [ebp+122D0C2Dh] 0x00000038 js 00007F737512BAE7h 0x0000003e cmc 0x0000003f push FFFFFFFFh 0x00000041 push 00000000h 0x00000043 push edi 0x00000044 call 00007F737512BAE8h 0x00000049 pop edi 0x0000004a mov dword ptr [esp+04h], edi 0x0000004e add dword ptr [esp+04h], 0000001Ch 0x00000056 inc edi 0x00000057 push edi 0x00000058 ret 0x00000059 pop edi 0x0000005a ret 0x0000005b nop 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F737512BAF2h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38A86A second address: 38A8C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7374772AB4h 0x00000009 popad 0x0000000a nop 0x0000000b mov dword ptr [ebp+1244A37Ch], ecx 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 mov ebx, 58271747h 0x00000019 pop edi 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F7374772AA8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 push eax 0x00000037 js 00007F7374772AB0h 0x0000003d pushad 0x0000003e pushad 0x0000003f popad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 389A87 second address: 389AAD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F737512BAF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jng 00007F737512BAECh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38C834 second address: 38C83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38BA1C second address: 38BA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAF4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38C83B second address: 38C862 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AAEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38BA35 second address: 38BAD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a cld 0x0000000b push dword ptr fs:[00000000h] 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F737512BAE8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c call 00007F737512BAECh 0x00000031 mov di, 403Ch 0x00000035 pop ebx 0x00000036 mov ebx, dword ptr [ebp+122D3864h] 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 push 00000000h 0x00000045 push ebx 0x00000046 call 00007F737512BAE8h 0x0000004b pop ebx 0x0000004c mov dword ptr [esp+04h], ebx 0x00000050 add dword ptr [esp+04h], 00000015h 0x00000058 inc ebx 0x00000059 push ebx 0x0000005a ret 0x0000005b pop ebx 0x0000005c ret 0x0000005d mov eax, dword ptr [ebp+122D031Dh] 0x00000063 mov di, B200h 0x00000067 push FFFFFFFFh 0x00000069 pushad 0x0000006a movzx edx, bx 0x0000006d mov edx, dword ptr [ebp+122D1C68h] 0x00000073 popad 0x00000074 push eax 0x00000075 jc 00007F737512BAEEh 0x0000007b push edi 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38C862 second address: 38C868 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 391CEC second address: 391CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 390F33 second address: 390FA7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7374772AA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ebx, dword ptr [ebp+122D2935h] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov di, E382h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F7374772AA8h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000015h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f mov ebx, dword ptr [ebp+1244B59Dh] 0x00000045 mov eax, dword ptr [ebp+122D0DD5h] 0x0000004b push FFFFFFFFh 0x0000004d jmp 00007F7374772AB7h 0x00000052 nop 0x00000053 jo 00007F7374772AB0h 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 393C52 second address: 393C75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F737512BAF8h 0x00000008 ja 00007F737512BAE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3304C9 second address: 3304CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3304CD second address: 3304D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3942EB second address: 3942F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3942F1 second address: 394368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ebx, dword ptr [ebp+122D1882h] 0x00000010 push 00000000h 0x00000012 mov bl, E7h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F737512BAE8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 call 00007F737512BAF2h 0x00000035 mov dword ptr [ebp+122D2AF9h], esi 0x0000003b pop ebx 0x0000003c push eax 0x0000003d jng 00007F737512BB02h 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F737512BAF4h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 391EED second address: 391EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F7374772AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 39632F second address: 396333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 396333 second address: 396339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 396339 second address: 396353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F737512BAF5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 39826B second address: 398270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 398270 second address: 3982E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F737512BAEEh 0x00000010 jne 00007F737512BAF6h 0x00000016 popad 0x00000017 nop 0x00000018 mov di, 61E9h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F737512BAE8h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 0000001Dh 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 mov dword ptr [ebp+1244D8C8h], esi 0x0000003e push 00000000h 0x00000040 mov ebx, dword ptr [ebp+122D37A8h] 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 push esi 0x00000049 ja 00007F737512BAE6h 0x0000004f pop esi 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3982E8 second address: 3982EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3991FC second address: 39921A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAF9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3954CB second address: 3954D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 39A248 second address: 39A24D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 39C30E second address: 39C313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 39C313 second address: 39C320 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F737512BAE6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3A39E0 second address: 3A39E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3A39E6 second address: 3A39EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3A3575 second address: 3A357F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7374772AA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3A357F second address: 3A3585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 39A388 second address: 39A38C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3A6EE1 second address: 1D0B72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jg 00007F737512BAE8h 0x00000014 jmp 00007F737512BAECh 0x00000019 popad 0x0000001a pop eax 0x0000001b jmp 00007F737512BAF3h 0x00000020 push dword ptr [ebp+122D12B5h] 0x00000026 jmp 00007F737512BAEEh 0x0000002b call dword ptr [ebp+122D1BF2h] 0x00000031 pushad 0x00000032 jnp 00007F737512BAFDh 0x00000038 jmp 00007F737512BAF7h 0x0000003d xor eax, eax 0x0000003f cmc 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 jmp 00007F737512BAF3h 0x00000049 mov dword ptr [ebp+122D38D4h], eax 0x0000004f mov dword ptr [ebp+122D19F2h], ecx 0x00000055 mov esi, 0000003Ch 0x0000005a add dword ptr [ebp+122D19F2h], eax 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 pushad 0x00000065 mov dword ptr [ebp+122D19F2h], esi 0x0000006b jg 00007F737512BAECh 0x00000071 popad 0x00000072 lodsw 0x00000074 jmp 00007F737512BAEAh 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d jne 00007F737512BAF8h 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 cld 0x00000088 nop 0x00000089 push eax 0x0000008a push edx 0x0000008b push eax 0x0000008c push edx 0x0000008d jmp 00007F737512BAF2h 0x00000092 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 399428 second address: 399493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b movzx esi, bx 0x0000000e mov edx, dword ptr [ebp+122D19F7h] 0x00000014 popad 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F7374772AA8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 mov bx, di 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov edi, dword ptr [ebp+122D39D8h] 0x00000046 sbb edi, 2EDA0B3Eh 0x0000004c mov eax, dword ptr [ebp+122D0159h] 0x00000052 mov bx, B334h 0x00000056 push FFFFFFFFh 0x00000058 mov dword ptr [ebp+122D2FBDh], edx 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 push ebx 0x00000064 pop ebx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 399493 second address: 3994AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3994AC second address: 3994C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AB5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 398476 second address: 39849C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jng 00007F737512BAE6h 0x00000010 jmp 00007F737512BAF5h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3AE22D second address: 3AE233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3AE233 second address: 3AE237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3AEA99 second address: 3AEA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3AEBB5 second address: 3AEBB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3AEBB9 second address: 3AEC38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB9h 0x00000007 jmp 00007F7374772AB8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F7374772AADh 0x00000013 push ebx 0x00000014 pushad 0x00000015 jmp 00007F7374772AB9h 0x0000001a jmp 00007F7374772AB7h 0x0000001f jg 00007F7374772AA6h 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B5FD9 second address: 3B6010 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F737512BAF9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F737512BAE8h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F737512BAEBh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B6010 second address: 3B601A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B5446 second address: 3B544A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B5776 second address: 3B577B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B577B second address: 3B5792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007F737512BAEAh 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B58C5 second address: 3B58C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B58C9 second address: 3B58F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F737512BAE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F737512BAEDh 0x00000011 jmp 00007F737512BAEDh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3BA614 second address: 3BA62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7374772AAFh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3844FD second address: 1D0B72 instructions: 0x00000000 rdtsc 0x00000002 je 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F737512BAECh 0x00000011 nop 0x00000012 mov ecx, eax 0x00000014 push dword ptr [ebp+122D12B5h] 0x0000001a mov ecx, dword ptr [ebp+122D2BE6h] 0x00000020 call dword ptr [ebp+122D1BF2h] 0x00000026 pushad 0x00000027 jnp 00007F737512BAFDh 0x0000002d xor eax, eax 0x0000002f cmc 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 jmp 00007F737512BAF3h 0x00000039 mov dword ptr [ebp+122D38D4h], eax 0x0000003f mov dword ptr [ebp+122D19F2h], ecx 0x00000045 mov esi, 0000003Ch 0x0000004a add dword ptr [ebp+122D19F2h], eax 0x00000050 add esi, dword ptr [esp+24h] 0x00000054 pushad 0x00000055 mov dword ptr [ebp+122D19F2h], esi 0x0000005b jg 00007F737512BAECh 0x00000061 popad 0x00000062 lodsw 0x00000064 jmp 00007F737512BAEAh 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d jne 00007F737512BAF8h 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 cld 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007F737512BAF2h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 384651 second address: 3846C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7374772AAFh 0x0000000e popad 0x0000000f add dword ptr [esp], 2B031606h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F7374772AA8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+122D1C05h] 0x00000036 push F37C85ECh 0x0000003b push esi 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F7374772AB6h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3847B7 second address: 3847D0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F737512BAE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F737512BAEAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3847D0 second address: 3847DA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7374772AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 384900 second address: 384906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 384906 second address: 38490C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38490C second address: 384910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 384E6F second address: 384E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 384FED second address: 384FF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 385125 second address: 38513A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7374772AAEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38513A second address: 385189 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F737512BAF8h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F737512BAF6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 385208 second address: 385212 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 385212 second address: 385216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 385216 second address: 38528F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a add ecx, 0F3C936Ah 0x00000010 lea eax, dword ptr [ebp+12486E6Ch] 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F7374772AA8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov dword ptr [ebp+122D2BC7h], ebx 0x00000036 push eax 0x00000037 jmp 00007F7374772AAEh 0x0000003c mov dword ptr [esp], eax 0x0000003f mov edx, dword ptr [ebp+122D1AF9h] 0x00000045 mov dx, BD87h 0x00000049 lea eax, dword ptr [ebp+12486E28h] 0x0000004f mov di, ax 0x00000052 nop 0x00000053 pushad 0x00000054 push eax 0x00000055 pushad 0x00000056 popad 0x00000057 pop eax 0x00000058 jg 00007F7374772AA8h 0x0000005e popad 0x0000005f push eax 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 push esi 0x00000064 pop esi 0x00000065 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 38528F second address: 3852A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3B9D4F second address: 3B9D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3BA1C9 second address: 3BA1CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3BA1CD second address: 3BA1E9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F7374772AB3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3BA1E9 second address: 3BA209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAEDh 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F737512BAEBh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3BD2AC second address: 3BD2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jne 00007F7374772AA6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3BD2B8 second address: 3BD2BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 33C016 second address: 33C052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7374772AB0h 0x00000014 pushad 0x00000015 jnp 00007F7374772AA6h 0x0000001b jmp 00007F7374772AAFh 0x00000020 jnp 00007F7374772AA6h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C16AB second address: 3C16B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C16B0 second address: 3C16BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C1A84 second address: 3C1AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jnp 00007F737512BAEEh 0x0000000c jne 00007F737512BAE6h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F737512BAEDh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C1AA9 second address: 3C1AD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F7374772AAEh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AB1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C1F8E second address: 3C1FA8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F737512BAF0h 0x00000010 jmp 00007F737512BAEAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24CB second address: 3C24D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24D1 second address: 3C24DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24DC second address: 3C24ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007F7374772AACh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24ED second address: 3C24F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24F2 second address: 3C24F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24F8 second address: 3C24FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C24FE second address: 3C2504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C264F second address: 3C2655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C2655 second address: 3C2659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C139D second address: 3C13AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAECh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C63C1 second address: 3C63C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C63C5 second address: 3C63CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C63CB second address: 3C63E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7374772AB0h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C63E1 second address: 3C6401 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F737512BAF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C6401 second address: 3C6407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3C6407 second address: 3C642C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F737512BAE6h 0x0000000a jbe 00007F737512BAE6h 0x00000010 popad 0x00000011 jmp 00007F737512BAEDh 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CB6EC second address: 3CB6FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F7374772AA6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CAFFA second address: 3CB009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jl 00007F737512BAE6h 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CB009 second address: 3CB026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CB16E second address: 3CB172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CB421 second address: 3CB42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CF3D8 second address: 3CF3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CED40 second address: 3CED60 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7374772AA6h 0x00000008 jmp 00007F7374772AB1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CEE8D second address: 3CEE92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CEE92 second address: 3CEEAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jng 00007F7374772AA6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F7374772AC1h 0x00000012 je 00007F7374772AACh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CF0FF second address: 3CF103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CF103 second address: 3CF10B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3CF10B second address: 3CF13A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F737512BAF1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3F7C second address: 3D3F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3222 second address: 3D3234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007F737512BAEAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3234 second address: 3D3242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3242 second address: 3D3257 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F737512BAF0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D33BC second address: 3D33EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB2h 0x00000007 jmp 00007F7374772AB9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D33EE second address: 3D33F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D33F4 second address: 3D33FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D36CD second address: 3D36D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D36D3 second address: 3D36E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F7374772AA8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D36E1 second address: 3D36E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D36E8 second address: 3D36EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D381F second address: 3D3827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3827 second address: 3D3846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F7374772AA6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F7374772AAEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3846 second address: 3D3860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jl 00007F737512BB1Bh 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jg 00007F737512BAE6h 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D3860 second address: 3D3877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7374772AAFh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D98C4 second address: 3D98E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F737512BAF6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D98E0 second address: 3D98FD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F7374772AB1h 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D98FD second address: 3D9906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D9906 second address: 3D990A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D81C3 second address: 3D81C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D81C8 second address: 3D81CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D81CE second address: 3D81D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D81D2 second address: 3D81F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F7374772AACh 0x0000000e jnc 00007F7374772AA6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D81F0 second address: 3D81F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D81F4 second address: 3D81FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D863E second address: 3D8648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F737512BAE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3D8648 second address: 3D865A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F7374772AA6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 384CDD second address: 384CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3DAECF second address: 3DAED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E0397 second address: 3E039D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E120F second address: 3E1213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E1213 second address: 3E1217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E1531 second address: 3E154F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7374772AA6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F7374772AACh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E154F second address: 3E1553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E1553 second address: 3E1565 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F7374772AA6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E1DE4 second address: 3E1DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E1DEB second address: 3E1DF9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7374772AA8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E1DF9 second address: 3E1DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E2091 second address: 3E20BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7374772AB0h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jnp 00007F7374772AA6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F7374772AA6h 0x00000019 jl 00007F7374772AA6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6123 second address: 3E6142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F737512BAF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E640A second address: 3E6418 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6568 second address: 3E656C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E656C second address: 3E6589 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AADh 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F7374772AA6h 0x0000000f jng 00007F7374772AA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6849 second address: 3E6861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F737512BAF3h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6861 second address: 3E68B1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7374772AA8h 0x00000008 jmp 00007F7374772AB1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 jmp 00007F7374772AACh 0x00000016 pop edi 0x00000017 jnl 00007F7374772AA8h 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007F7374772AB9h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E69DC second address: 3E6A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 jmp 00007F737512BAEDh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F737512BAECh 0x00000015 jmp 00007F737512BAEFh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6A0F second address: 3E6A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6CD6 second address: 3E6CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3E6CDC second address: 3E6CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7374772AB2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3EB7C1 second address: 3EB7C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3EB7C6 second address: 3EB7F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB2h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7374772AB4h 0x0000000e jns 00007F7374772AA6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4DC3 second address: 3F4DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4DC9 second address: 3F4DDE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7374772AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnl 00007F7374772AA6h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4DDE second address: 3F4DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4DE9 second address: 3F4DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4DF1 second address: 3F4E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F737512BAE6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4E02 second address: 3F4E1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F32B7 second address: 3F32BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F32BB second address: 3F32BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F32BF second address: 3F32C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F35CC second address: 3F35E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F7374772AAEh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F35E1 second address: 3F35F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jc 00007F737512BAE6h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F3784 second address: 3F37A1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7374772AA6h 0x00000008 jmp 00007F7374772AB0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F390C second address: 3F3910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F3ACA second address: 3F3AF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F3E04 second address: 3F3E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F3E08 second address: 3F3E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4C3A second address: 3F4C44 instructions: 0x00000000 rdtsc 0x00000002 js 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3F4C44 second address: 3F4C49 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA78E second address: 3FA797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA797 second address: 3FA7B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7374772AB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA7B4 second address: 3FA7CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA7CA second address: 3FA7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA32B second address: 3FA351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F737512BAE6h 0x0000000a popad 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e je 00007F737512BAE6h 0x00000014 pop edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F737512BAECh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA351 second address: 3FA357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA488 second address: 3FA492 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA492 second address: 3FA496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA496 second address: 3FA49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA49E second address: 3FA4A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA4A4 second address: 3FA4C8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F737512BAE6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F737512BAEFh 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 3FA4C8 second address: 3FA4DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7374772AA6h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e js 00007F7374772AA6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4081EA second address: 4081F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4081F2 second address: 4081F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4081F6 second address: 408210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F737512BAF4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 40BEFD second address: 40BF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 40BF08 second address: 40BF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 40BF0C second address: 40BF27 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F7374772AA8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 40BF27 second address: 40BF40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF3h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4135C2 second address: 4135C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 41341D second address: 413423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 413423 second address: 413429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 413429 second address: 41342D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 41C660 second address: 41C664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 42164C second address: 421672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F737512BAF0h 0x00000009 jmp 00007F737512BAF1h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 421672 second address: 42167E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F7374772AA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 42167E second address: 42169C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F737512BAEBh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 42169C second address: 4216A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4217CA second address: 4217CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 421EF9 second address: 421EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 422A8F second address: 422A95 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 427508 second address: 42750E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 43D3D0 second address: 43D3D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 43D3D9 second address: 43D3DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 44AEC5 second address: 44AEC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 44C6E5 second address: 44C6EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 44C6EB second address: 44C6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 44E509 second address: 44E515 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F7374772AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 477ED0 second address: 477ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 477ED4 second address: 477EE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AAAh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 478184 second address: 478196 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F737512BAE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F737512BAE6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 478304 second address: 47830A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47830A second address: 47830F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47830F second address: 478315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 478315 second address: 47831B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47831B second address: 478358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AACh 0x00000007 jne 00007F7374772AA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 je 00007F7374772AC9h 0x00000017 jmp 00007F7374772AB7h 0x0000001c jc 00007F7374772AACh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 478465 second address: 47846F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 478B53 second address: 478B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47D00D second address: 47D011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47D011 second address: 47D017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47D017 second address: 47D021 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F737512BAECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47D62D second address: 47D631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47D631 second address: 47D63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47D63B second address: 47D63F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47EFA9 second address: 47EFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47EFAF second address: 47EFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47EAC0 second address: 47EAC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 47EAC6 second address: 47EACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B406E4 second address: 4B40748 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F737512BAF6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 call 00007F737512BAECh 0x00000018 pop esi 0x00000019 pushfd 0x0000001a jmp 00007F737512BAEBh 0x0000001f xor esi, 73258A6Eh 0x00000025 jmp 00007F737512BAF9h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B40748 second address: 4B407A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7374772AB7h 0x00000009 or si, D07Eh 0x0000000e jmp 00007F7374772AB9h 0x00000013 popfd 0x00000014 mov bx, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F7374772AAAh 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 mov bh, ah 0x00000025 mov si, di 0x00000028 popad 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push eax 0x0000002e pop edi 0x0000002f push eax 0x00000030 pop edi 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10128 second address: 4B10173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F737512BAEDh 0x0000000b adc ecx, 54075586h 0x00000011 jmp 00007F737512BAF1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F737512BAF8h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10173 second address: 4B10177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10177 second address: 4B1017D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B1017D second address: 4B101BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7374772AACh 0x00000009 xor cl, FFFFFF88h 0x0000000c jmp 00007F7374772AABh 0x00000011 popfd 0x00000012 movzx eax, dx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007F7374772AB2h 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B101BC second address: 4B101C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B101C0 second address: 4B101C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B101C6 second address: 4B10252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007F737512BAEEh 0x00000011 pushfd 0x00000012 jmp 00007F737512BAF2h 0x00000017 and cl, FFFFFFA8h 0x0000001a jmp 00007F737512BAEBh 0x0000001f popfd 0x00000020 pop ecx 0x00000021 pushfd 0x00000022 jmp 00007F737512BAF9h 0x00000027 adc ah, FFFFFFC6h 0x0000002a jmp 00007F737512BAF1h 0x0000002f popfd 0x00000030 popad 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F737512BAEDh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B800AF second address: 4B800B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00D57 second address: 4B00D6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00D6B second address: 4B00E1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F7374772AB6h 0x00000010 push dword ptr [ebp+04h] 0x00000013 jmp 00007F7374772AB0h 0x00000018 push dword ptr [ebp+0Ch] 0x0000001b pushad 0x0000001c pushad 0x0000001d jmp 00007F7374772AACh 0x00000022 pushfd 0x00000023 jmp 00007F7374772AB2h 0x00000028 add al, 00000008h 0x0000002b jmp 00007F7374772AABh 0x00000030 popfd 0x00000031 popad 0x00000032 pushfd 0x00000033 jmp 00007F7374772AB8h 0x00000038 and ah, 00000068h 0x0000003b jmp 00007F7374772AABh 0x00000040 popfd 0x00000041 popad 0x00000042 push dword ptr [ebp+08h] 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F7374772AB5h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00E1C second address: 4B00E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00E2C second address: 4B00E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00E69 second address: 4B00E6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00E6F second address: 4B00E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B00E73 second address: 4B00E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CA7 second address: 4B70CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CAB second address: 4B70CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CB1 second address: 4B70CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CCE second address: 4B70CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CD2 second address: 4B70CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CE2 second address: 4B70CE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CE6 second address: 4B70CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CEC second address: 4B70CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CF2 second address: 4B70CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70CF6 second address: 4B70D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F737512BAF2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70D13 second address: 4B70D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70D19 second address: 4B70D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B4E second address: 4B50B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B53 second address: 4B50B59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B59 second address: 4B50B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B5D second address: 4B50B87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F737512BAF0h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B87 second address: 4B50B8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B8D second address: 4B50B93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B93 second address: 4B50B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50B97 second address: 4B50BB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F737512BAEFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50BB3 second address: 4B50BB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50BB7 second address: 4B50BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50BBD second address: 4B50BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50BCC second address: 4B50BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50BD0 second address: 4B50BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50BDF second address: 4B50C06 instructions: 0x00000000 rdtsc 0x00000002 mov dl, BAh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop edx 0x00000009 movzx esi, dx 0x0000000c popad 0x0000000d popad 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F737512BAF6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50C06 second address: 4B50C18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50C18 second address: 4B50C1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4BA00EB second address: 4BA0110 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7374772AADh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80CC1 second address: 4B80CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80CC7 second address: 4B80CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80CCB second address: 4B80CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80CCF second address: 4B80CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ecx, 340D98D3h 0x0000000f push eax 0x00000010 mov bl, C8h 0x00000012 pop ecx 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80CE7 second address: 4B80D29 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F737512BAF2h 0x00000008 add ax, FF88h 0x0000000d jmp 00007F737512BAEBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F737512BAF5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80D29 second address: 4B80D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80D2F second address: 4B80D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10815 second address: 4B10828 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10828 second address: 4B1082E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B1082E second address: 4B10832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10832 second address: 4B10850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F737512BAEEh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10850 second address: 4B10854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10854 second address: 4B1085A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B1085A second address: 4B10869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7374772AABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10869 second address: 4B10879 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10879 second address: 4B1087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B1087D second address: 4B10881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B10881 second address: 4B10887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70D47 second address: 4B70DB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F737512BAF7h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F737512BAF9h 0x0000000f adc al, 00000006h 0x00000012 jmp 00007F737512BAF1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F737512BAEEh 0x00000021 push eax 0x00000022 jmp 00007F737512BAEBh 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70DB6 second address: 4B70DBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70DBA second address: 4B70DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80466 second address: 4B804A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 mov ah, bh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F7374772AAFh 0x00000014 xor si, 84BEh 0x00000019 jmp 00007F7374772AB9h 0x0000001e popfd 0x0000001f mov ax, EA07h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B804A8 second address: 4B804B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov bl, DAh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B804B9 second address: 4B804BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B804BF second address: 4B804C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 7AED81A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B804C9 second address: 4B80524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 mov edi, 47B7CD2Ch 0x0000000e mov dl, 90h 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 call 00007F7374772AB9h 0x0000001b pop ecx 0x0000001c pushfd 0x0000001d jmp 00007F7374772AB1h 0x00000022 sub ecx, 02504466h 0x00000028 jmp 00007F7374772AB1h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80524 second address: 4B80550 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 push edi 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp+08h] 0x0000000e jmp 00007F737512BAF5h 0x00000013 and dword ptr [eax], 00000000h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80550 second address: 4B80554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80554 second address: 4B80567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80567 second address: 4B805D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7374772AAFh 0x00000009 or al, FFFFFFAEh 0x0000000c jmp 00007F7374772AB9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F7374772AB0h 0x00000018 sbb al, 00000028h 0x0000001b jmp 00007F7374772AABh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 and dword ptr [eax+04h], 00000000h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F7374772AB5h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B805D5 second address: 4B805DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 01227DD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50A6F second address: 4B50AA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F7374772AB5h 0x0000000b jmp 00007F7374772AABh 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov dh, 77h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50AA1 second address: 4B50B02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F737512BAF6h 0x00000009 sbb eax, 029C8068h 0x0000000f jmp 00007F737512BAEBh 0x00000014 popfd 0x00000015 jmp 00007F737512BAF8h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F737512BAF7h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80E96 second address: 4B80E9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80E9C second address: 4B80ECC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F737512BAF8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80ECC second address: 4B80EDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80EDB second address: 4B80EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80EF3 second address: 4B80F17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov ecx, 600E1D8Bh 0x00000013 mov si, 0767h 0x00000017 popad 0x00000018 pop ebp 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B80F17 second address: 4B80F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B307AE second address: 4B307B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B307B2 second address: 4B3082E instructions: 0x00000000 rdtsc 0x00000002 mov ah, 25h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F737512BAF5h 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F737512BAF3h 0x00000014 sub eax, 053B879Eh 0x0000001a jmp 00007F737512BAF9h 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F737512BAEAh 0x0000002b jmp 00007F737512BAF5h 0x00000030 popfd 0x00000031 mov dx, ax 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B3082E second address: 4B30850 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 5D11025Eh 0x00000008 call 00007F7374772AAFh 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B30850 second address: 4B30854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B30854 second address: 4B3085A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B3085A second address: 4B30874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAF6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B30874 second address: 4B3089B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AB9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B3089B second address: 4B308A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B308A1 second address: 4B308C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7374772AAAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B308C0 second address: 4B308CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90A8D second address: 4B90AA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90AA8 second address: 4B90AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90AAD second address: 4B90AEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7374772AABh 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F7374772AB6h 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90AEE second address: 4B90AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90AF2 second address: 4B90B0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90B0F second address: 4B90B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90B15 second address: 4B90B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90B19 second address: 4B90B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F737512BAEBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90B2F second address: 4B90B58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 movsx edx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7374772AB9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90B58 second address: 4B90B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90B68 second address: 4B90C65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [76FB65FCh] 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F7374772AB4h 0x00000017 add esi, 06235C68h 0x0000001d jmp 00007F7374772AABh 0x00000022 popfd 0x00000023 mov ecx, 7AAA125Fh 0x00000028 popad 0x00000029 test eax, eax 0x0000002b pushad 0x0000002c mov ecx, edi 0x0000002e popad 0x0000002f je 00007F73E6B1585Ah 0x00000035 jmp 00007F7374772AB9h 0x0000003a mov ecx, eax 0x0000003c jmp 00007F7374772AAEh 0x00000041 xor eax, dword ptr [ebp+08h] 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007F7374772AB7h 0x0000004b jmp 00007F7374772AB3h 0x00000050 popfd 0x00000051 push ecx 0x00000052 pushfd 0x00000053 jmp 00007F7374772AAFh 0x00000058 and si, 97CEh 0x0000005d jmp 00007F7374772AB9h 0x00000062 popfd 0x00000063 pop eax 0x00000064 popad 0x00000065 and ecx, 1Fh 0x00000068 jmp 00007F7374772AB7h 0x0000006d ror eax, cl 0x0000006f push eax 0x00000070 push edx 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 popad 0x00000075 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90C65 second address: 4B90C6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90C6B second address: 4B90C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B90C71 second address: 4B90C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5001C second address: 4B50020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50020 second address: 4B50026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50026 second address: 4B5002B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5002B second address: 4B5003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5003B second address: 4B5003F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5003F second address: 4B50045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50045 second address: 4B50091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 508E5755h 0x00000008 mov ah, 13h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f movzx ecx, dx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F7374772AB0h 0x00000019 jmp 00007F7374772AB5h 0x0000001e popfd 0x0000001f popad 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F7374772AADh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50091 second address: 4B50106 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F737512BAF7h 0x00000009 jmp 00007F737512BAF3h 0x0000000e popfd 0x0000000f jmp 00007F737512BAF8h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 jmp 00007F737512BAF0h 0x0000001e and esp, FFFFFFF8h 0x00000021 jmp 00007F737512BAF0h 0x00000026 xchg eax, ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50106 second address: 4B5010D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5010D second address: 4B50156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ch 0x00000005 mov edi, 72A27252h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F737512BAF8h 0x00000013 xchg eax, ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov dx, 5C80h 0x0000001b call 00007F737512BAF9h 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50156 second address: 4B501F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7374772AB8h 0x00000009 and esi, 5DC63D28h 0x0000000f jmp 00007F7374772AABh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a mov bx, cx 0x0000001d movzx ecx, dx 0x00000020 popad 0x00000021 push eax 0x00000022 jmp 00007F7374772AAAh 0x00000027 xchg eax, ebx 0x00000028 jmp 00007F7374772AB0h 0x0000002d mov ebx, dword ptr [ebp+10h] 0x00000030 jmp 00007F7374772AB0h 0x00000035 xchg eax, esi 0x00000036 jmp 00007F7374772AB0h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007F7374772AACh 0x00000045 add ah, 00000048h 0x00000048 jmp 00007F7374772AABh 0x0000004d popfd 0x0000004e push eax 0x0000004f pop edi 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B501F3 second address: 4B50213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50213 second address: 4B50217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50217 second address: 4B5021B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5021B second address: 4B50221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50221 second address: 4B50227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50227 second address: 4B5022B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5022B second address: 4B50286 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e jmp 00007F737512BAF0h 0x00000013 xchg eax, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ecx 0x00000019 pushfd 0x0000001a jmp 00007F737512BAF9h 0x0000001f sub al, FFFFFFD6h 0x00000022 jmp 00007F737512BAF1h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50286 second address: 4B502CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov di, ax 0x0000000d mov bl, ah 0x0000000f popad 0x00000010 xchg eax, edi 0x00000011 jmp 00007F7374772AB9h 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F7374772AB8h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B502CE second address: 4B502DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B502DD second address: 4B502E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B502E3 second address: 4B5032E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F73E7509E10h 0x0000000e jmp 00007F737512BAF7h 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a pushad 0x0000001b movzx esi, bx 0x0000001e mov esi, edx 0x00000020 popad 0x00000021 je 00007F73E7509DFBh 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F737512BAEFh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5032E second address: 4B50332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50332 second address: 4B50385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, ecx 0x00000008 popad 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007F737512BAF0h 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F737512BAEEh 0x0000001b adc si, 6C08h 0x00000020 jmp 00007F737512BAEBh 0x00000025 popfd 0x00000026 pushad 0x00000027 mov esi, 35138295h 0x0000002c popad 0x0000002d popad 0x0000002e test edx, 61000000h 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B50385 second address: 4B5038D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, ax 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B5038D second address: 4B503A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 2914h 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F73E7509DD5h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B503A5 second address: 4B503A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B503A9 second address: 4B503BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B503BB second address: 4B503E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d pushad 0x0000000e mov edi, ecx 0x00000010 mov dx, cx 0x00000013 popad 0x00000014 jne 00007F73E6B50D72h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B503E1 second address: 4B503E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B503E5 second address: 4B503EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70010 second address: 4B7001F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7001F second address: 4B70025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70025 second address: 4B70029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70029 second address: 4B7002D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7002D second address: 4B7005C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a mov esi, 47620689h 0x0000000f jmp 00007F737512BAF6h 0x00000014 popad 0x00000015 mov dword ptr [esp], ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7005C second address: 4B70060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70060 second address: 4B70064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70064 second address: 4B7006A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7006A second address: 4B700DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 05B4h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c jmp 00007F737512BAF3h 0x00000011 and esp, FFFFFFF8h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F737512BAEBh 0x0000001d jmp 00007F737512BAF3h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F737512BAF8h 0x00000029 xor cx, 40F8h 0x0000002e jmp 00007F737512BAEBh 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B700DA second address: 4B70114 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7374772AAFh 0x00000008 call 00007F7374772AB8h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ah, bl 0x00000017 mov eax, 57B0F01Bh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70114 second address: 4B70124 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F737512BAECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70124 second address: 4B70168 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e jmp 00007F7374772AB6h 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F7374772AB7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70168 second address: 4B7016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7016E second address: 4B70186 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70186 second address: 4B7018A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7018A second address: 4B70190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70190 second address: 4B701F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov dh, ah 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F737512BAEBh 0x00000014 jmp 00007F737512BAF3h 0x00000019 popfd 0x0000001a popad 0x0000001b popad 0x0000001c mov esi, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F737512BAEBh 0x00000028 jmp 00007F737512BAF3h 0x0000002d popfd 0x0000002e mov ch, 2Eh 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B701F1 second address: 4B70212 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, A6h 0x00000005 call 00007F7374772AADh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebx, 00000000h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70212 second address: 4B7022B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7022B second address: 4B70231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70231 second address: 4B70235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70235 second address: 4B702C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F7374772AB4h 0x00000014 and ecx, 1A0FF318h 0x0000001a jmp 00007F7374772AABh 0x0000001f popfd 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F7374772AB6h 0x00000027 adc si, DD78h 0x0000002c jmp 00007F7374772AABh 0x00000031 popfd 0x00000032 popad 0x00000033 popad 0x00000034 je 00007F73E6B28B91h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F7374772AB7h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B702C4 second address: 4B702E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B702E1 second address: 4B702E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B702E7 second address: 4B7030D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7030D second address: 4B70311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70311 second address: 4B70317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70317 second address: 4B7033C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, esi 0x00000005 mov di, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, esi 0x0000000d pushad 0x0000000e push esi 0x0000000f jmp 00007F7374772AB3h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7033C second address: 4B70365 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 0CCA1741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a je 00007F73E74E1B43h 0x00000010 jmp 00007F737512BAECh 0x00000015 test byte ptr [76FB6968h], 00000002h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70365 second address: 4B70369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70369 second address: 4B70386 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F737512BAF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70386 second address: 4B7038B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7038B second address: 4B703E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, 59h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F73E74E1B08h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F737512BAF1h 0x00000018 or ah, 00000056h 0x0000001b jmp 00007F737512BAF1h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F737512BAF0h 0x00000027 and eax, 1BA2F078h 0x0000002d jmp 00007F737512BAEBh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B703E8 second address: 4B703EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B703EE second address: 4B703F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B703F2 second address: 4B70419 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov di, ax 0x00000011 call 00007F7374772AB4h 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70419 second address: 4B70439 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F737512BAF5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70439 second address: 4B7043F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B7043F second address: 4B70443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70443 second address: 4B70462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B70462 second address: 4B704DC instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 67120F74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F737512BAEDh 0x0000000f adc esi, 0BB84D36h 0x00000015 jmp 00007F737512BAF1h 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e jmp 00007F737512BAECh 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F737512BAF0h 0x0000002a xor cl, FFFFFF88h 0x0000002d jmp 00007F737512BAEBh 0x00000032 popfd 0x00000033 mov eax, 0C89CFFFh 0x00000038 popad 0x00000039 popad 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F737512BAF1h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B704DC second address: 4B704F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7374772AB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	RDTSC instruction interceptor: First address: 4B704F8 second address: 4B704FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Special instruction interceptor: First address: 1D0BD6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Special instruction interceptor: First address: 1D0B05 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Special instruction interceptor: First address: 373A87 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Special instruction interceptor: First address: 1CE10A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Special instruction interceptor: First address: 39CF2B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Special instruction interceptor: First address: 3FCAEB instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 320BD6 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 320B05 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 4C3A87 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 31E10A instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 4ECF2B instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 54CAEB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 570BD6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 570B05 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 713A87 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 56E10A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 73CF2B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 79CAEB instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Code function: 0_2_04BC0728 rdtsc

0_2_04BC0728

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window / User API: threadDelayed 1247	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window / User API: threadDelayed 1188	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window / User API: threadDelayed 1207	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window / User API: threadDelayed 1009	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Window / User API: threadDelayed 403	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1265	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1266	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1182	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1229	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1302	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1323	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1270	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1217	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1275	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1521	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1502	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1526	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1371	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1499	Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_0-16310
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_5-18440
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7344	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7344	Thread sleep time: -74037s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7340	Thread sleep count: 1247 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7340	Thread sleep time: -2495247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7412	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7304	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7320	Thread sleep count: 1188 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7320	Thread sleep time: -2377188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7328	Thread sleep count: 1207 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7328	Thread sleep time: -2415207s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7304	Thread sleep count: 205 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7324	Thread sleep count: 1009 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7324	Thread sleep time: -2019009s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7304	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7324	Thread sleep count: 293 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7324	Thread sleep time: -586293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7320	Thread sleep count: 403 > 30	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe TID: 7320	Thread sleep time: -806403s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7612	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7612	Thread sleep time: -84042s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596	Thread sleep count: 1265 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596	Thread sleep time: -2531265s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7556	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7556	Thread sleep count: 227 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588	Thread sleep count: 1266 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588	Thread sleep time: -2533266s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7556	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7708	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7708	Thread sleep time: -80040s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7692	Thread sleep count: 1182 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7692	Thread sleep time: -2365182s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564	Thread sleep count: 105 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564	Thread sleep count: 81 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7688	Thread sleep count: 1229 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7688	Thread sleep time: -2459229s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564	Thread sleep count: 215 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7700	Thread sleep count: 1302 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7700	Thread sleep time: -2605302s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7920	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7920	Thread sleep time: -76038s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7904	Thread sleep count: 1323 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7904	Thread sleep time: -2647323s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7992	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7876	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7876	Thread sleep count: 114 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7876	Thread sleep count: 153 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7896	Thread sleep count: 1270 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7896	Thread sleep time: -2541270s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7876	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7900	Thread sleep count: 1217 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7900	Thread sleep time: -2435217s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7892	Thread sleep count: 1275 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7892	Thread sleep time: -2551275s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7220	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7220	Thread sleep time: -118059s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7196	Thread sleep count: 58 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7196	Thread sleep time: -116058s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280	Thread sleep count: 70 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280	Thread sleep count: 112 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6440	Thread sleep count: 1521 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6440	Thread sleep time: -3043521s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4080	Thread sleep count: 1502 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4080	Thread sleep time: -3005502s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280	Thread sleep count: 113 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4900	Thread sleep count: 1526 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4900	Thread sleep time: -3053526s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280	Thread sleep count: 82 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4828	Thread sleep count: 1371 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4828	Thread sleep time: -2743371s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2724	Thread sleep count: 1499 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2724	Thread sleep time: -2999499s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6280	Thread sleep count: 41 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: 90ZF1EDs9h.exe, 00000000.00000003.1672128094.0000000000B88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}z]
Source: MPGPH131.exe, 00000005.00000003.1694159336.0000000000D45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&0000
Source: RageMP131.exe, 00000009.00000003.1891360029.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp'
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319200721.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000005.00000002.2965341053.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&%
Source: MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319200721.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: MPGPH131.exe, 00000006.00000003.1711821266.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}v
Source: RageMP131.exe, 00000009.00000003.1891360029.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Fc
Source: 90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: RageMP131.exe, 00000007.00000003.1811415935.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000009.00000002.2964515667.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&db
Source: 90ZF1EDs9h.exe, 00000000.00000002.2960879822.0000000000354000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2962287913.00000000004A4000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2961218867.00000000004A4000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.2962318691.00000000006F4000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 00000007.00000003.1811415935.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}o
Source: 90ZF1EDs9h.exe, 00000000.00000003.1672128094.0000000000B88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000007.00000002.2965177153.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&;

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_04BC04E4 Start: 04BC055D End: 04BC04A1	0_2_04BC04E4
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Code function: 0_2_04BC0AEF Start: 04BC0AF6 End: 04BC0B00	0_2_04BC0AEF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_04D102F9 Start: 04D10474 End: 04D102C8	5_2_04D102F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_04C50587 Start: 04C505B6 End: 04C505BC	6_2_04C50587
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_04F803CB Start: 04F80525 End: 04F80403	7_2_04F803CB

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Code function: 0_2_04BC0728 rdtsc

0_2_04BC0728

Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.2961012549.00000000006F4000.00000040.00000001.01000000.00000006.sdmp

Binary or memory string: xProgram Manager

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Code function: 0_2_0007361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_0007361D

Source: C:\Users\user\Desktop\90ZF1EDs9h.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: 90ZF1EDs9h.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7132, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: 90ZF1EDs9h.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7132, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	2 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	24 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	2 Process Injection	Security Account Manager	741 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	24 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	2 Process Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	214 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
90ZF1EDs9h.exe	53%	Virustotal		Browse
90ZF1EDs9h.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	50%	ReversingLabs	Win32.Trojan.RisePro
C:\ProgramData\MPGPH131\MPGPH131.exe	53%	Virustotal		Browse
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	50%	ReversingLabs	Win32.Trojan.RisePro
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	53%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ipinfo.io	0%	Virustotal		Browse
db-ip.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://ipinfo.io/	0%	URL Reputation	safe
https://ipinfo.io:443/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
https://db-ip.com:443/demo/home.php?s=8.46.123.33J	0%	Avira URL Cloud	safe
https://t.me/risepro_botSS	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33$	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33#H	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33H	0%	Avira URL Cloud	safe
https://t.v	0%	Avira URL Cloud	safe
https://db-ip.com/	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://ipinfo.io/alj	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33S	0%	Avira URL Cloud	safe
https://db-ip.com/	0%	Virustotal		Browse
https://t.me/risepro_botSS	0%	Virustotal		Browse
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Virustotal		Browse
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://t.me/risepro	0%	Avira URL Cloud	safe
https://ipinfo.io/Mozilla/5.0	0%	Avira URL Cloud	safe
https://t.me/risepro_botA$	0%	Avira URL Cloud	safe
https://ipinfo.io/tuO	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33~	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Virustotal		Browse
https://t.me/risepro_botj/	0%	Avira URL Cloud	safe
https://ipinfo.io/Mozilla/5.0	0%	Virustotal		Browse
https://t.me/risepro_bot	0%	Avira URL Cloud	safe
https://t.me/risepro	0%	Virustotal		Browse
https://t.me/RiseProSUPPORT8?	0%	Avira URL Cloud	safe
https://t.me/risepro_botGc	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
https://t.me/risepro_bot	0%	Virustotal		Browse
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe
https://t.me/riseproD	0%	Avira URL Cloud	safe
https://ipinfo.io/s	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33q	0%	Avira URL Cloud	safe
https://db-ip.com:443/demo/home.php?s=8.46.123.33	0%	Avira URL Cloud	safe
https://www.maxmind.com/en/locate-my-ip-address	0%	Virustotal		Browse
https://t.me/risepro_botisepro_bot	0%	Avira URL Cloud	safe
https://ipinfo.io/s	0%	Virustotal		Browse
http://www.winimage.com/zLibDll	0%	Avira URL Cloud	safe
https://t.me/riseproF	0%	Avira URL Cloud	safe
https://t.me/risepro_botisepro_bot	0%	Virustotal		Browse
https://t.me/riseproD	0%	Virustotal		Browse
https://ipinfo.io/W&	0%	Avira URL Cloud	safe
https://db-ip.com/l/.	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTz	0%	Avira URL Cloud	safe
https://t.me/risepro_botp	0%	Avira URL Cloud	safe
https://t.me/risepro_botp	0%	Virustotal		Browse
https://t.me/RiseProSUPPORTz	1%	Virustotal		Browse
http://www.winimage.com/zLibDll	1%	Virustotal		Browse
https://db-ip.com/l/.	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false	0%, Virustotal, Browse	unknown
db-ip.com	104.26.5.15	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/	false	URL Reputation: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33	false	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://db-ip.com/demo/home.php?s=8.46.123.33$	MPGPH131.exe, 00000005.00000002.2965341053.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com:443/demo/home.php?s=8.46.123.33J	MPGPH131.exe, 00000006.00000002.2965067378.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io:443/widget/demo/8.46.123.33	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botSS	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33#H	RageMP131.exe, 00000007.00000002.2965177153.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33H	MPGPH131.exe, 00000006.00000002.2965067378.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.v	90ZF1EDs9h.exe, 00000000.00000002.2975858179.0000000007720000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302053976.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319159509.0000000000E53000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E54000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33S	MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302053976.0000000000D83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/alj	MPGPH131.exe, 00000006.00000002.2965067378.0000000000E01000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/Mozilla/5.0	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2319200721.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/risepro	MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/tuO	RageMP131.exe, 00000009.00000002.2964515667.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botA$	RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33~	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B86000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botj/	MPGPH131.exe, 00000006.00000002.2965067378.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_bot	RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT8?	MPGPH131.exe, 00000006.00000002.2965067378.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botGc	RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.maxmind.com/en/locate-my-ip-address	RageMP131.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/riseproD	MPGPH131.exe, 00000005.00000002.2967167251.0000000000D84000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/s	MPGPH131.exe, 00000006.00000002.2965067378.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33q	MPGPH131.exe, 00000005.00000002.2965341053.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com:443/demo/home.php?s=8.46.123.33	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2965341053.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2302116387.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2965177153.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botisepro_bot	RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	90ZF1EDs9h.exe, 00000000.00000003.1654226982.0000000004960000.00000004.00001000.00020000.00000000.sdmp, 90ZF1EDs9h.exe, 00000000.00000002.2960516340.0000000000041000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1681138634.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2960518096.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.2960323258.0000000000191000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1681761352.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1788309686.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2960594163.00000000003E1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.1867802367.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2960668282.00000000003E1000.00000040.00000001.01000000.00000006.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/riseproF	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/W&	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/l/.	RageMP131.exe, 00000009.00000002.2964515667.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORTz	90ZF1EDs9h.exe, 00000000.00000002.2964592286.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/risepro_botp	RageMP131.exe, 00000007.00000002.2965177153.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
104.26.5.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false
77.91.77.66	unknown	Russian Federation	42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1461305
Start date and time:	2024-06-23 18:34:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	90ZF1EDs9h.exe renamed because original name is a hash value
Original Sample Name:	9437d6cf2745f8683c3aa908e01b03cf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:35:26	API Interceptor	1155850x Sleep call for process: 90ZF1EDs9h.exe modified
12:35:29	API Interceptor	1968147x Sleep call for process: MPGPH131.exe modified
12:35:39	API Interceptor	1362557x Sleep call for process: RageMP131.exe modified
17:34:58	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
17:34:58	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
17:35:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
17:35:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
104.26.5.15	SecuriteInfo.com.Win64.Evo-gen.17494.7440.exe	Get hash	malicious	Unknown	Browse	api.db-ip.com/v2/free/127.0.0.1
	Nemty.exe	Get hash	malicious	Nemty	Browse	api.db-ip.com/v2/free/84.17.52.2/countryName
	227.exe	Get hash	malicious	Nemty	Browse	api.db-ip.com/v2/free/102.129.143.40/countryName
77.91.77.66	Ke5ufWcgxp.exe	Get hash	malicious	RisePro Stealer	Browse
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	plTAoSCew2.exe	Get hash	malicious	RisePro Stealer	Browse
	7rA1iX60wh.exe	Get hash	malicious	RisePro Stealer	Browse
	PNO3otPYOa.exe	Get hash	malicious	RisePro Stealer	Browse
	YnsEArPlqx.exe	Get hash	malicious	RisePro Stealer	Browse
	AlCsIOd0pd.exe	Get hash	malicious	RisePro Stealer	Browse
	setup.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	bFZYRLnRIz.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer	Browse	34.117.186.192
	4h4b4EWVNU.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	34.117.186.192
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	PsHQsuTG0H.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
	plTAoSCew2.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	7rA1iX60wh.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	PsHQsuTG0H.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
	PNO3otPYOa.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
db-ip.com	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	http://feedbackreview-id0284892389423.d1o0pnrgaue9g2.amplifyapp.com/index.html	Get hash	malicious	Unknown	Browse	104.26.4.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	plTAoSCew2.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	7rA1iX60wh.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	PNO3otPYOa.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	YnsEArPlqx.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	setup.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	104.26.5.15
	D44CPdpkNk.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	setup.exe	Get hash	malicious	Amadey	Browse	77.91.77.81
	mCTacyNuyM.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	77.91.77.81
	Ke5ufWcgxp.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	yWny5Jds8b.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	77.91.77.81
	file.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	77.91.77.81
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	file.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	77.91.77.81
	setup.exe	Get hash	malicious	Amadey	Browse	77.91.77.81
	It5068xROy.dll	Get hash	malicious	RedLine	Browse	77.91.77.6
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	bFZYRLnRIz.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer	Browse	34.117.186.192
	http://dllavy.wixsite.com/mybt-view/	Get hash	malicious	Unknown	Browse	34.117.60.144
	4h4b4EWVNU.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	34.117.186.192
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://peringatanfb772.wixsite.com/mysite	Get hash	malicious	Unknown	Browse	34.117.60.144
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	PsHQsuTG0H.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
	plTAoSCew2.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	7rA1iX60wh.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
CLOUDFLARENETUS	FieroHack.exe	Get hash	malicious	LummaC, Xmrig	Browse	104.21.49.90
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.89.170
	Extreme injector.exe	Get hash	malicious	LummaC	Browse	104.21.49.90
	SecuriteInfo.com.Win64.DropperX-gen.26552.421.exe	Get hash	malicious	Unknown	Browse	104.26.3.16
	SecuriteInfo.com.Win64.DropperX-gen.26552.421.exe	Get hash	malicious	Unknown	Browse	104.26.3.16
	mCTacyNuyM.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	188.114.97.3
	qEGv2vQa9X.elf	Get hash	malicious	Mirai	Browse	1.14.29.35
	zQ35ev2Uw0.elf	Get hash	malicious	Mirai	Browse	1.14.29.22
	3jeKnZMljk.elf	Get hash	malicious	Mirai	Browse	1.4.15.178
	iDUGkVNndq.elf	Get hash	malicious	Mirai	Browse	1.13.112.146

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	FieroHack.exe	Get hash	malicious	LummaC, Xmrig	Browse	104.26.5.15 34.117.186.192
	setup.exe	Get hash	malicious	LummaC	Browse	104.26.5.15 34.117.186.192
	Extreme injector.exe	Get hash	malicious	LummaC	Browse	104.26.5.15 34.117.186.192
	SecuriteInfo.com.Win64.DropperX-gen.26552.421.exe	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	SecuriteInfo.com.Win64.DropperX-gen.26552.421.exe	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	mCTacyNuyM.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	104.26.5.15 34.117.186.192
	yWny5Jds8b.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	104.26.5.15 34.117.186.192
	abc.docx	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	bFZYRLnRIz.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer	Browse	104.26.5.15 34.117.186.192
	YNsc5U2Qff.exe	Get hash	malicious	LummaC	Browse	104.26.5.15 34.117.186.192

Process:	C:\Users\user\Desktop\90ZF1EDs9h.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2432512
Entropy (8bit):	7.963848035462459
Encrypted:	false
SSDEEP:	49152:jtkCJbOK+TKeNUXXO08QNPXzhVJGcF6V5sN7sqlvI:hkaOz32XxNPXzwcF8uN7sS
MD5:	9437D6CF2745F8683C3AA908E01B03CF
SHA1:	4B954D00882C8249D11B61440976B2993AE4738A
SHA-256:	D3D0EEAB1A06460ED303B065248DB53D47BFD5C253324B0D2F9EFCC2DC700A47
SHA-512:	8F8EF99107B126D82D5545ED8108FD1ECB6C3B743134766A1C213EE0667CADD1F0F0ADD0A3F2B111D990E45CD2A10480EB2DD44276CC4956F3DBAA5EA46F2F8E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 53%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....\|........^...........@..........................._.....R.%...@.................................^...r.......8.....................^...............................^..............................6..@................... . ............................@....rsrc...8...........................@....idata ............................@... ..+.........................@...pobzuwwq. ....D.....................@...bxltxemr......^.......$.............@....taggant.0....^.."....$.............@...........................................................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\90ZF1EDs9h.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\90ZF1EDs9h.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2432512
Entropy (8bit):	7.963848035462459
Encrypted:	false
SSDEEP:	49152:jtkCJbOK+TKeNUXXO08QNPXzhVJGcF6V5sN7sqlvI:hkaOz32XxNPXzwcF8uN7sS
MD5:	9437D6CF2745F8683C3AA908E01B03CF
SHA1:	4B954D00882C8249D11B61440976B2993AE4738A
SHA-256:	D3D0EEAB1A06460ED303B065248DB53D47BFD5C253324B0D2F9EFCC2DC700A47
SHA-512:	8F8EF99107B126D82D5545ED8108FD1ECB6C3B743134766A1C213EE0667CADD1F0F0ADD0A3F2B111D990E45CD2A10480EB2DD44276CC4956F3DBAA5EA46F2F8E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 53%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....\|........^...........@..........................._.....R.%...@.................................^...r.......8.....................^...............................^..............................6..@................... . ............................@....rsrc...8...........................@....idata ............................@... ..+.........................@...pobzuwwq. ....D.....................@...bxltxemr......^.......$.............@....taggant.0....^.."....$.............@...........................................................................................................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\90ZF1EDs9h.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\90ZF1EDs9h.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	2.565448371820826
Encrypted:	false
SSDEEP:	3:LQ4d:X
MD5:	7640C92C58528DD1D0FD215B3C8CC25A
SHA1:	8AB07336FF3C7903709E417E34F15422F009A63E
SHA-256:	1D49814F62680FAE227628DA18EBC5CAC764B1BABD2DEF8472E02B4AE0E4463D
SHA-512:	B36EA4DDB0DEB9D7B5D4DD931DAB71270BFC880A3557F5432364222B2B18BBB434D5B81E171C8DA3AA68BDDB501BC0CA4F35163CD467E4526BB36ABF10F22DB1
Malicious:	false
Reputation:	low
Preview:	1719165164968

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.963848035462459
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	90ZF1EDs9h.exe
File size:	2'432'512 bytes
MD5:	9437d6cf2745f8683c3aa908e01b03cf
SHA1:	4b954d00882c8249d11b61440976b2993ae4738a
SHA256:	d3d0eeab1a06460ed303b065248db53d47bfd5c253324b0d2f9efcc2dc700a47
SHA512:	8f8ef99107b126d82d5545ed8108fd1ecb6c3b743134766a1c213ee0667cadd1f0f0add0a3f2b111d990e45cd2a10480eb2dd44276cc4956f3dbaa5ea46f2f8e
SSDEEP:	49152:jtkCJbOK+TKeNUXXO08QNPXzhVJGcF6V5sN7sqlvI:hkaOz32XxNPXzwcF8uN7sS
TLSH:	10B53322E936E654FC52253816FA4197E33ADA345E9A7AA17605334F8B77310FFBE004
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

File Icon


Icon Hash:	8596a1a0a1a1b171

Static PE Info

General

Entrypoint:	0x9ed000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x664C6914 [Tue May 21 09:27:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F7374C81B8Ah
paddb mm4, qword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F7374C83B85h
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [edx], al
or al, byte ptr [eax]
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18c05e	0x72	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18a000	0x1638	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5eb6f8	0x10	pobzuwwq
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5eb6a8	0x18	pobzuwwq
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x18369c	0x40
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x189000	0xab400	2889d39d9afe63d22158841a0070b7f2	False	0.998056854470803	data	7.980016205845924	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x18a000	0x1638	0x1800	fe6f3fdb9e7e97cba92d8ce4e4fcc95b	False	0.7220052083333334	data	6.54017046361188	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x18c000	0x1000	0x200	0e14477ce436cc9ebd87f17a92173639	False	0.1640625	data	1.180504109820196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x18d000	0x2bd000	0x200	8d1043f3f55c05ca6d9abd5bceaadddc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pobzuwwq	0x44a000	0x1a2000	0x1a1800	fef0d23f91621cfcdea52c9493f96f57	False	0.9947049260853293	data	7.953477305499687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bxltxemr	0x5ec000	0x1000	0x400	cf8df7fe015740d70b8493e719059a83	False	0.80078125	data	6.2687999848900615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x5ed000	0x3000	0x2200	f1ae51caf03b7b6be6e749c08b032732	False	0.06410845588235294	DOS executable (COM)	0.772229905710431	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x18a440	0x1060	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.8838263358778626
RT_GROUP_ICON	0x18b4a0	0x14	data	Russian	Russia	1.05
RT_VERSION	0x18a130	0x310	data	Russian	Russia	0.45408163265306123
RT_MANIFEST	0x18b4b8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/23/24-18:37:04.646362	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49732	58709	192.168.2.4	77.91.77.66
06/23/24-18:37:07.646023	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49731	58709	192.168.2.4	77.91.77.66
06/23/24-18:37:06.583631	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49747	58709	192.168.2.4	77.91.77.66
06/23/24-18:34:58.970157	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49731	58709	192.168.2.4	77.91.77.66
06/23/24-18:35:36.288691	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49747	77.91.77.66	192.168.2.4
06/23/24-18:37:05.458696	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49735	58709	192.168.2.4	77.91.77.66
06/23/24-18:35:02.465607	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49732	77.91.77.66	192.168.2.4
06/23/24-18:35:21.729696	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49747	77.91.77.66	192.168.2.4
06/23/24-18:34:59.553336	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49731	77.91.77.66	192.168.2.4
06/23/24-18:35:03.603959	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49733	77.91.77.66	192.168.2.4
06/23/24-18:37:04.786800	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49733	58709	192.168.2.4	77.91.77.66
06/23/24-18:35:13.471006	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49735	77.91.77.66	192.168.2.4
06/23/24-18:35:12.390867	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49731	77.91.77.66	192.168.2.4
06/23/24-18:35:13.312009	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49732	77.91.77.66	192.168.2.4
06/23/24-18:35:14.392680	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49733	77.91.77.66	192.168.2.4
06/23/24-18:35:28.664022	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49735	77.91.77.66	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 23, 2024 18:34:58.939028025 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:34:58.944359064 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:34:58.944461107 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:34:58.970156908 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:34:58.975405931 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:34:59.553335905 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:34:59.598020077 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:01.146855116 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:01.152257919 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:01.152337074 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:01.172148943 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:01.179097891 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:02.465606928 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:02.520031929 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:02.676666021 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:02.681879044 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:02.911896944 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:02.918407917 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:02.918668032 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:02.938585043 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:02.949948072 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:03.603959084 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:03.645085096 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:05.600729942 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:05.607413054 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:06.723187923 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:06.728193045 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:12.390866995 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:12.441975117 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:12.493689060 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:12.493726969 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:12.493788958 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:12.494719028 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:12.494730949 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:12.871846914 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:12.877345085 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:12.877439022 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:12.899554968 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:12.905499935 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:12.952986956 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:12.953052044 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:12.955729008 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:12.955739021 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:12.955966949 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:12.995399952 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.036539078 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.125442028 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.125550985 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.125593901 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.128230095 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.128248930 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.128259897 CEST	49734	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.128264904 CEST	443	49734	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.157634974 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.157723904 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.158070087 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.158212900 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.158245087 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.312009096 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:13.363712072 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:13.401850939 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.401875973 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.401951075 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.402900934 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.402909994 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.471005917 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:13.519956112 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:13.641647100 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.641832113 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.643337011 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.643395901 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.643635035 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.644740105 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.692588091 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.877681017 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.877765894 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.877938032 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.878024101 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.878024101 CEST	49736	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:13.878098965 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.878130913 CEST	443	49736	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:13.878499985 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:13.880835056 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.880928040 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.881979942 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.881985903 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.882201910 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:13.883603096 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:13.926204920 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.931946039 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:13.972539902 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.065515995 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.065614939 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.065699100 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:14.066260099 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:14.066277027 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.066303968 CEST	49738	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:14.066308975 CEST	443	49738	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.068361998 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.068375111 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.068470955 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.068757057 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.068767071 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.392679930 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:14.441984892 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:14.539515018 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.539608002 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.549438000 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.549454927 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.549674988 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.550885916 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.551362991 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:14.551450968 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.551551104 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:14.553174973 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:14.553226948 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:14.596513987 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.735122919 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.735215902 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.735342979 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.735496998 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.735496998 CEST	49740	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:14.735511065 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.735518932 CEST	443	49740	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:14.736361027 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:14.741449118 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:15.027765036 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.027846098 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.033541918 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.033582926 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.033845901 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.082695961 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.222057104 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.264548063 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.357161999 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.357269049 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.357356071 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.358289003 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.358289003 CEST	49741	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:15.358357906 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.358393908 CEST	443	49741	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:15.360291958 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:15.360335112 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:15.360414028 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:15.360716105 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:15.360737085 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:15.833093882 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:15.833230972 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:15.835309982 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:15.835370064 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:15.835608959 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:15.842025995 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:15.884572983 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:16.018692017 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:16.018981934 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:16.019192934 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:16.019192934 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:16.019192934 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:16.019500017 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:16.024492025 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:16.316981077 CEST	49744	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:16.317047119 CEST	443	49744	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:16.599487066 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:16.604655027 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:20.868304968 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:20.875525951 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:20.875688076 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:20.894154072 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:20.899358988 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:21.729696035 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:21.785727978 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:24.848390102 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:24.855691910 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:25.808855057 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:25.863987923 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:26.038768053 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:26.082534075 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:26.221426010 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:26.270159960 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:28.664021969 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:28.707535028 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:28.775810003 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:28.775901079 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:28.775986910 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:28.776850939 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:28.776876926 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.249680996 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.249789953 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.250977039 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.251008987 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.251353025 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.301275015 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.304995060 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.348584890 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.436757088 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.436899900 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.436965942 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.437676907 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.437721968 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.437751055 CEST	49748	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:29.437767029 CEST	443	49748	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:29.439748049 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:29.439837933 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:29.439920902 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:29.440191031 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:29.440217972 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:29.921181917 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:29.921413898 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:29.922535896 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:29.922629118 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:29.922993898 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:29.924138069 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:29.964550018 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:30.104144096 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:30.104262114 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:30.104345083 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:30.104547024 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:30.104604959 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:30.104645014 CEST	49749	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:30.104661942 CEST	443	49749	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:30.104799032 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:30.109746933 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:32.067198038 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:32.072654009 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:32.827420950 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:32.879416943 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:35.426471949 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:35.434161901 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:35.598685026 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:35.604379892 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:36.288691044 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:36.332581997 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:36.405381918 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:36.405467987 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:36.405548096 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:36.406512022 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:36.406552076 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:36.870301008 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:36.870533943 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:36.873888969 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:36.873945951 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:36.874315977 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:36.915782928 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:36.960587025 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:37.044912100 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:37.045202971 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:37.045454979 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:37.045454979 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:37.045454979 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:37.047142982 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.047256947 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.047334909 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.047584057 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.047621965 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.348263025 CEST	49750	443	192.168.2.4	34.117.186.192
Jun 23, 2024 18:35:37.348328114 CEST	443	49750	34.117.186.192	192.168.2.4
Jun 23, 2024 18:35:37.721832037 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.721927881 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.723264933 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.723303080 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.723639011 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.724754095 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.772495985 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.900257111 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.900552034 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.900624990 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.900702000 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.900751114 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.900799990 CEST	49751	443	192.168.2.4	104.26.5.15
Jun 23, 2024 18:35:37.900815964 CEST	443	49751	104.26.5.15	192.168.2.4
Jun 23, 2024 18:35:37.900995016 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:37.906968117 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:38.332878113 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:38.338552952 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:41.457818985 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:41.676461935 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:41.693837881 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:41.879678011 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:41.988967896 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:42.004471064 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:42.191961050 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:42.349049091 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.349560976 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.349634886 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:42.349674940 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.349731922 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:42.351248980 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.351279020 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.351306915 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.351339102 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.351366997 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.351398945 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:42.351439953 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:44.371795893 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:44.426351070 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:44.442219973 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:44.447124004 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:45.020314932 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:45.025675058 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:45.348522902 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:45.353976011 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:47.410583973 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:47.457608938 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:47.489289045 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:47.504838943 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:47.638755083 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:47.639239073 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:48.145483971 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:48.150768042 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:48.236190081 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:48.285854101 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:48.285972118 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:48.291534901 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:49.208529949 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:49.254482031 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:49.336169958 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:49.379503012 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:49.469643116 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:49.520140886 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:51.614125967 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:51.619298935 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:51.736634016 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:51.770386934 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:51.775435925 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:52.332884073 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:52.338912964 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:52.473480940 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:52.480582952 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:52.582792044 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:52.587893009 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:53.586498976 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:53.629563093 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:53.676635027 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:53.681626081 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:54.864085913 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:54.869389057 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:55.473392963 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:55.478650093 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:55.598534107 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:55.606103897 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:55.708446980 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:55.715094090 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:56.707835913 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:56.713270903 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:57.989167929 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:57.994687080 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:58.614278078 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:58.619864941 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:58.739018917 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:58.744657993 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:35:58.839248896 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:35:58.844578028 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:00.045552015 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:00.098261118 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:01.129982948 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:01.135159016 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:01.636744976 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:01.848262072 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:01.958117962 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:01.963093042 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:02.062897921 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:02.113991976 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:02.973634958 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:02.979120016 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:03.161379099 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:03.249124050 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:03.249744892 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:03.317265987 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:03.317338943 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:04.771620035 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:04.776926994 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:05.223829031 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:05.228847980 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:06.098754883 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:06.103771925 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:06.286355019 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:06.291388035 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:06.364468098 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:06.369788885 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:07.157258987 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:07.255112886 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:07.260281086 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:07.895575047 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:07.900929928 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:08.349034071 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:08.354177952 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:09.426862955 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:09.431888103 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:09.489721060 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:09.494760036 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:10.286386013 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:10.305349112 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:11.020863056 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:11.026087999 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:11.284737110 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:11.332681894 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:11.489408970 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:11.500243902 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:12.097340107 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:12.145173073 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:12.568563938 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:12.573581934 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:14.145618916 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:14.151154041 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:14.427030087 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:14.432101011 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:14.631315947 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:14.636296034 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:15.239362001 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:15.244395018 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:15.692759037 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:15.697943926 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:17.271881104 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:17.277091980 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:17.552079916 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:17.557306051 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:17.573442936 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:17.645200968 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:17.755362988 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:17.760474920 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:18.297748089 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:18.489083052 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:18.571548939 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:18.645210981 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:18.645979881 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:18.650908947 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:18.743520021 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:18.879582882 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:20.507417917 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:20.511279106 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:20.516568899 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:20.708579063 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:20.713711023 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:21.411884069 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:21.417385101 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:21.692819118 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:21.701765060 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:21.865894079 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:21.874464035 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:23.630383015 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:23.635519981 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:23.741945982 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:23.786973000 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:24.502542019 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:24.551980019 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:24.556873083 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:24.646425962 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:24.759926081 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:24.826591015 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:24.991167068 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:25.935925961 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:25.981652975 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:26.880310059 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:26.885363102 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:27.630398989 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:27.635535002 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:27.770886898 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:27.776096106 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:27.942915916 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:27.949517965 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:29.069511890 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:29.075340986 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:29.835297108 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:29.988996029 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:29.992683887 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:30.020941019 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:30.025821924 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:30.137871027 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:30.145267963 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:30.208794117 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:30.219950914 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:31.341242075 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:31.535871983 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.291187048 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.291239023 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.291273117 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.291299105 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.291559935 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.291613102 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.291677952 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.291708946 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.291749001 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.292047977 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292077065 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292109013 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292119026 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.292176008 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292217970 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.292265892 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292444944 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292496920 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.292543888 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292748928 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.292795897 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.292989969 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.293019056 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.293061972 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.293138981 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.296154022 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.296202898 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.296260118 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.348357916 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.408762932 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.408880949 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.408962011 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.408977985 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.409091949 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.409125090 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.409135103 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.409157038 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.409207106 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.442780018 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.447626114 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:32.974072933 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:32.979515076 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:33.114697933 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:33.119645119 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:33.255448103 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:33.261111975 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:34.458523035 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:34.464775085 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:35.567934036 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:35.572979927 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:36.098906040 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:36.104110956 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:36.255362034 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:36.260251045 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:36.395792961 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:36.400655031 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:36.625050068 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:36.676528931 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:36.879581928 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:37.016875029 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:37.156642914 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:37.285993099 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:37.599044085 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:37.604120016 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:38.710453033 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:38.715574980 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:38.920219898 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:39.145267963 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:39.697488070 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:39.742943048 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:39.748100042 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:39.788479090 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:40.021107912 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:40.026454926 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:40.286501884 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:40.528534889 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:42.052409887 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:42.057467937 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:42.821286917 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:42.826402903 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:42.864723921 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:42.870469093 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:43.162338018 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:43.167712927 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:43.427160025 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:43.432353973 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:45.192955971 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:45.198065042 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:45.721152067 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:45.785928011 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:45.861783981 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:45.948628902 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:45.955468893 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:46.019632101 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:46.035928011 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:46.176528931 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:46.687335014 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:46.848419905 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:47.774614096 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:47.848429918 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:48.849133968 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:48.854142904 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:48.989753008 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:48.994721889 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:49.146194935 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:49.151087046 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:49.802202940 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:49.807547092 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:50.911817074 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:50.916995049 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:51.973957062 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:51.978939056 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:52.136207104 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:52.142293930 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:52.273390055 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:52.278467894 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:52.927182913 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:52.932044029 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:54.036406994 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:54.041385889 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:55.099309921 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:55.105591059 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:55.255364895 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:55.260418892 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:55.395852089 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:55.400779963 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:56.052212000 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:56.057085991 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:57.177198887 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:57.182192087 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:58.240009069 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:58.244925976 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:58.380453110 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:58.385426998 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:58.521096945 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:58.526997089 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:36:59.194861889 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:36:59.199800968 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:00.317905903 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:00.322900057 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:01.364969969 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:01.370029926 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:01.520993948 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:01.526114941 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:01.661699057 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:01.666558027 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:02.317768097 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:02.323278904 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:03.458442926 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:03.463998079 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:04.505218983 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:04.510317087 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:04.646362066 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:04.653469086 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:04.786799908 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:04.791894913 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:05.458695889 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:05.463727951 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:06.583631039 CEST	49747	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:06.588677883 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:07.646023035 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:07.693927050 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:21.831301928 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:21.879781961 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:21.962130070 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:22.004802942 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:25.489065886 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:25.536147118 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:38.076787949 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:38.129846096 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 23, 2024 18:37:41.195319891 CEST	58709	49747	77.91.77.66	192.168.2.4
Jun 23, 2024 18:37:41.239217997 CEST	49747	58709	192.168.2.4	77.91.77.66

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 23, 2024 18:35:12.481183052 CEST	49186	53	192.168.2.4	1.1.1.1
Jun 23, 2024 18:35:12.489104033 CEST	53	49186	1.1.1.1	192.168.2.4
Jun 23, 2024 18:35:13.138309002 CEST	62782	53	192.168.2.4	1.1.1.1
Jun 23, 2024 18:35:13.150125027 CEST	53	62782	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 23, 2024 18:35:12.481183052 CEST	192.168.2.4	1.1.1.1	0x45e	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Jun 23, 2024 18:35:13.138309002 CEST	192.168.2.4	1.1.1.1	0xa6f6	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jun 23, 2024 18:35:12.489104033 CEST	1.1.1.1	192.168.2.4	0x45e	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false
Jun 23, 2024 18:35:13.150125027 CEST	1.1.1.1	192.168.2.4	0xa6f6	No error (0)	db-ip.com	104.26.5.15	A (IP address)	IN (0x0001)	false
Jun 23, 2024 18:35:13.150125027 CEST	1.1.1.1	192.168.2.4	0xa6f6	No error (0)	db-ip.com	172.67.75.166	A (IP address)	IN (0x0001)	false
Jun 23, 2024 18:35:13.150125027 CEST	1.1.1.1	192.168.2.4	0xa6f6	No error (0)	db-ip.com	104.26.4.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

https:

db-ip.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.4	49730	34.117.186.192	443

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:34:50 UTC	59	OUT	GET / HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-06-23 16:34:51 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 23 Jun 2024 16:34:50 GMT content-type: application/json; charset=utf-8 Content-Length: 319 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-23 16:34:51 UTC	319	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	34.117.186.192	443	7300	C:\Users\user\Desktop\90ZF1EDs9h.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:12 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-23 16:35:13 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 23 Jun 2024 16:35:13 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-23 16:35:13 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-23 16:35:13 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49736	104.26.5.15	443	7300	C:\Users\user\Desktop\90ZF1EDs9h.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:13 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-23 16:35:13 UTC	653	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 16:35:13 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: A29E3ED6:900A_93878F2E:0050_66784EC1_155994E6:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xm42o233PGoiYqNPbeDEmw1KzLE46Hg9jie7rP9W63eZPHubQ9cbKRz6x%2FIVOOcs7PXeUKESlpgxYVT21M2ofrtxOdeVPaH7lFqI8MxxFo6K5K%2F2RctEckFJxA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8985e3dacf640cb1-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 16:35:13 UTC	673	IN	Data Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
2024-06-23 16:35:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	34.117.186.192	443	7552	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:13 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-23 16:35:14 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 23 Jun 2024 16:35:14 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-23 16:35:14 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-23 16:35:14 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	104.26.5.15	443	7552	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:14 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-23 16:35:14 UTC	657	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 16:35:14 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: A29E9E84:FE64_93878F2E:0050_66784EC2_15463888:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VX%2F53%2FExKpJbt%2FDl8GcBT%2FYb0wS4c7etLwwBhhadIQ2ej9xLr5Lbe7KD85UIWd238eLIJC9R8uJ7HJGuTaAYW2l3JSV7kZT29in4mTjwUtdjdAv1gn3gR0IVQg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8985e3e059d841e7-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 16:35:14 UTC	673	IN	Data Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
2024-06-23 16:35:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	34.117.186.192	443	7560	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:15 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-23 16:35:15 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 23 Jun 2024 16:35:15 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-23 16:35:15 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-23 16:35:15 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	104.26.5.15	443	7560	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:15 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-23 16:35:16 UTC	653	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 16:35:15 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: A29E9F5A:FA86_93878F2E:0050_66784EC3_154638BC:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wexhpaynyoTQZn8cPI8zsoIB1sE18yK86UzG4ZGtfFQzAWa3une9uGAknVec%2Bhe6pChyy%2FX9lOu2d1TWHnW3g5xqQtM4KlXRyOY518HRgu1pru9QdxBfeCe9dw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8985e3e86cf442c8-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 16:35:16 UTC	673	IN	Data Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
2024-06-23 16:35:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49748	34.117.186.192	443	7872	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:29 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-23 16:35:29 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 23 Jun 2024 16:35:29 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-23 16:35:29 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-23 16:35:29 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49749	104.26.5.15	443	7872	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:29 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-23 16:35:30 UTC	651	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 16:35:30 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC466F13:4440_93878F2E:0050_66784ED2_15599765:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c4HM3UaCos119s2VL6Z2CHKy9vu935mDuAsTjMR6wavCGdmRNzLYc5Rv0aV%2B28cnskYzgW3oE9FvQPLrNXZW5d8bGNe9ms7shcXyAE0GJC56FGJxJdWo0YAChw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8985e4409eadc47a-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 16:35:30 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-06-23 16:35:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49750	34.117.186.192	443	7132	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:36 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-23 16:35:37 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 23 Jun 2024 16:35:36 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-23 16:35:37 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-23 16:35:37 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49751	104.26.5.15	443	7132	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 16:35:37 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-23 16:35:37 UTC	659	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 16:35:37 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC466F96:51E2_93878F2E:0050_66784ED9_155998AB:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wJAZ%2BL8vpx2O7Cw1J7y2XPAAZzaU5R5VmIKQKMUaiK4Q6gHdy2GQP3yvFjSgiOHbfHC5wKTxM%2BUwWUpYa%2Fz0C%2BvhxN3YEY6tn5tTqsSlJW%2B2KhKANevaDv4rbg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8985e47159d31921-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 16:35:37 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-06-23 16:35:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:34:55
Start date:	23/06/2024
Path:	C:\Users\user\Desktop\90ZF1EDs9h.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\90ZF1EDs9h.exe"
Imagebase:	0x40000
File size:	2'432'512 bytes
MD5 hash:	9437D6CF2745F8683C3AA908E01B03CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:34:58
Start date:	23/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x7e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:34:58
Start date:	23/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:34:58
Start date:	23/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0x7e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:34:58
Start date:	23/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:34:58
Start date:	23/06/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x190000
File size:	2'432'512 bytes
MD5 hash:	9437D6CF2745F8683C3AA908E01B03CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs Detection: 53%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:34:58
Start date:	23/06/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x190000
File size:	2'432'512 bytes
MD5 hash:	9437D6CF2745F8683C3AA908E01B03CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:35:08
Start date:	23/06/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x3e0000
File size:	2'432'512 bytes
MD5 hash:	9437D6CF2745F8683C3AA908E01B03CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs Detection: 53%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:35:17
Start date:	23/06/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x3e0000
File size:	2'432'512 bytes
MD5 hash:	9437D6CF2745F8683C3AA908E01B03CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 90ZF1EDs9h.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Windows Analysis Report
90ZF1EDs9h.exe