Windows Analysis Report
3CkMJ4UkNy.exe

Overview

General Information

Sample name: 3CkMJ4UkNy.exe
renamed because original name is a hash value
Original sample name: 89132cccbe767274896da1b84508923b.exe
Analysis ID: 1435275
MD5: 89132cccbe767274896da1b84508923b
SHA1: 96c69ebe519eb52c33fcbb0618584707c3f8f550
SHA256: 972cd69f7de188b017b0e19f7fe17808b10afc9d98a299498d4c468df83c61f5
Tags: 32exetrojan
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://147.45.47.102:57893/hera/amadka.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://147.45.47.102:57893/hera/amadka.exe Virustotal: Detection: 18% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exee Virustotal: Detection: 16% Perma Link
Source: http://193.233.132.56/cost/go.exe0.1 Virustotal: Detection: 18% Perma Link
Source: http://193.233.132.56/cost/lenin.exe Virustotal: Detection: 21% Perma Link
Source: http://193.233.132.56/cost/sok.exe Virustotal: Detection: 21% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 52%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 52% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 52% Perma Link
Multi AV Scanner detection for submitted file
Source: 3CkMJ4UkNy.exe Virustotal: Detection: 52% Perma Link
Source: 3CkMJ4UkNy.exe ReversingLabs: Detection: 52%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 3CkMJ4UkNy.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 3CkMJ4UkNy.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49750 version: TLS 1.2

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49732
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View IP Address: 104.26.4.15 104.26.4.15
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_008F5940 recv,WSAStartup,closesocket,socket,connect,closesocket, 0_2_008F5940
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: MPGPH131.exe, 00000006.00000002.3056203290.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: MPGPH131.exe, 00000006.00000002.3056203290.00000000007CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exee
Source: MPGPH131.exe, 00000006.00000002.3056203290.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: MPGPH131.exe, 00000006.00000002.3056203290.00000000007CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe0.1
Source: MPGPH131.exe, 00000006.00000002.3056203290.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: MPGPH131.exe, 00000005.00000002.3057445876.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe%0
Source: MPGPH131.exe, 00000006.00000002.3056203290.00000000007CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exeka.ex
Source: MPGPH131.exe, 00000006.00000002.3056203290.00000000007BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exe
Source: MPGPH131.exe, 00000005.00000002.3057445876.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exe.1
Source: MPGPH131.exe, 00000006.00000002.3056203290.00000000007CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exe;
Source: MPGPH131.exe, 00000005.00000002.3057445876.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exeea.exenI
Source: MPGPH131.exe, 00000006.00000002.3056203290.00000000007CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exeea.exeot
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3056062295.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 3CkMJ4UkNy.exe, 00000000.00000003.1621011532.0000000005140000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3061002325.0000000000CF1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1707020092.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1707516777.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3060928279.0000000000CF1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.3057498278.0000000000D81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.1819998298.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1903883755.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3057412762.0000000000D81000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: 3CkMJ4UkNy.exe, 00000000.00000003.2935432793.000000000138F000.00000004.00000020.00020000.00000000.sdmp, 3CkMJ4UkNy.exe, 00000000.00000002.3062491445.0000000001391000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3056203290.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2526206357.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 00000005.00000003.2526332228.000000000089E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3060663054.000000000089F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/5
Source: RageMP131.exe, 00000009.00000002.3061632100.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/H
Source: RageMP131.exe, 00000008.00000002.3061452900.0000000001716000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/Y
Source: RageMP131.exe, 00000009.00000002.3061632100.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061489184.0000000001356000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225(~
Source: MPGPH131.exe, 00000005.00000002.3057445876.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225J
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061489184.0000000001356000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225ly
Source: MPGPH131.exe, 00000005.00000002.3057445876.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225ot
Source: RageMP131.exe, 00000008.00000002.3061452900.0000000001716000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225otN
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061489184.0000000001356000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225s
Source: MPGPH131.exe, 00000006.00000002.3056203290.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2526206357.00000000007CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225y~
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061489184.0000000001356000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3056203290.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2526206357.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3061452900.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.00000000013BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225
Source: MPGPH131.exe, 00000005.00000002.3060663054.00000000008A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2525929453.00000000008A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225s:
Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.3061632100.000000000145C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.0000000001441000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.000000000143A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.00000000013FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061489184.000000000134A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3057445876.0000000000857000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3056203290.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2526206357.00000000007C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3061452900.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.0000000001441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: RageMP131.exe, 00000009.00000002.3061632100.00000000013FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/VF
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3056062295.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 3CkMJ4UkNy.exe, 00000000.00000003.1621011532.0000000005140000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3061002325.0000000000CF1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1707020092.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1707516777.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3060928279.0000000000CF1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.3057498278.0000000000D81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.1819998298.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1903883755.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3057412762.0000000000D81000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000005.00000002.3057445876.000000000080D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/t
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061489184.000000000132C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3057445876.0000000000808000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3057445876.0000000000857000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3056203290.000000000076C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3056203290.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3061452900.000000000168A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.0000000001441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225
Source: RageMP131.exe, 00000008.00000002.3061452900.00000000016D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225-
Source: MPGPH131.exe, 00000005.00000002.3057445876.0000000000808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.2255
Source: RageMP131.exe, 00000008.00000002.3061452900.000000000168A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225:
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061489184.000000000132C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225H
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061489184.000000000134A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225p
Source: RageMP131.exe, 00000008.00000002.3061452900.0000000001677000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/z
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061489184.000000000134A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3057445876.0000000000857000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3056203290.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.00000000013BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225
Source: RageMP131.exe, 00000008.00000002.3061452900.00000000016D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225m
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061489184.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3057445876.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3056203290.000000000073A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3061452900.000000000164E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.00000000013BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000005.00000002.3057445876.00000000007CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTOM
Source: RageMP131.exe, 00000009.00000002.3061632100.00000000013BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTQ
Source: RageMP131.exe, 00000008.00000002.3061452900.0000000001716000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 00000009.00000002.3061632100.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: 3CkMJ4UkNy.exe, 00000000.00000003.2935432793.000000000138F000.00000004.00000020.00020000.00000000.sdmp, 3CkMJ4UkNy.exe, 00000000.00000002.3062491445.0000000001391000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot0.225
Source: MPGPH131.exe, 00000005.00000002.3057445876.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot6
Source: RageMP131.exe, 00000008.00000002.3061452900.0000000001716000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botL
Source: RageMP131.exe, 00000009.00000002.3061632100.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botS
Source: 3CkMJ4UkNy.exe, 00000000.00000003.2935432793.000000000138F000.00000004.00000020.00020000.00000000.sdmp, 3CkMJ4UkNy.exe, 00000000.00000002.3062491445.0000000001391000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botaN
Source: MPGPH131.exe, 00000005.00000002.3057445876.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botm
Source: MPGPH131.exe, 00000006.00000002.3056203290.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2526206357.00000000007CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro
Source: RageMP131.exe, 00000009.00000002.3061632100.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/riseproe
Source: RageMP131.exe, 00000009.00000002.3061632100.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.y
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49750 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: 3CkMJ4UkNy.exe Static PE information: section name:
Source: 3CkMJ4UkNy.exe Static PE information: section name: .idata
Source: 3CkMJ4UkNy.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_00867190 0_2_00867190
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_0086A918 0_2_0086A918
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_0086C950 0_2_0086C950
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_0087DA74 0_2_0087DA74
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_00888BA0 0_2_00888BA0
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_00920350 0_2_00920350
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_0087035F 0_2_0087035F
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_0085F570 0_2_0085F570
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_008847AD 0_2_008847AD
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_0091CFC0 0_2_0091CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D27190 5_2_00D27190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D2C950 5_2_00D2C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D2A918 5_2_00D2A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D3DA74 5_2_00D3DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D48BA0 5_2_00D48BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D3035F 5_2_00D3035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DE0350 5_2_00DE0350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D1F570 5_2_00D1F570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DDCFC0 5_2_00DDCFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D447AD 5_2_00D447AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D27190 6_2_00D27190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D2C950 6_2_00D2C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D2A918 6_2_00D2A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D3DA74 6_2_00D3DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D48BA0 6_2_00D48BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D3035F 6_2_00D3035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00DE0350 6_2_00DE0350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D1F570 6_2_00D1F570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00DDCFC0 6_2_00DDCFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D447AD 6_2_00D447AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00DB7190 8_2_00DB7190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00DBC950 8_2_00DBC950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00DBA918 8_2_00DBA918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00DCDA74 8_2_00DCDA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00DD8BA0 8_2_00DD8BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00DC035F 8_2_00DC035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00E70350 8_2_00E70350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00DAF570 8_2_00DAF570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00E6CFC0 8_2_00E6CFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00DD47AD 8_2_00DD47AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00DB7190 9_2_00DB7190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00DBC950 9_2_00DBC950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00DBA918 9_2_00DBA918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00DCDA74 9_2_00DCDA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00DD8BA0 9_2_00DD8BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00DC035F 9_2_00DC035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00E70350 9_2_00E70350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00DAF570 9_2_00DAF570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00E6CFC0 9_2_00E6CFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00DD47AD 9_2_00DD47AD
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 00DB4370 appears 48 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00D24370 appears 48 times
Sample file is different than original file name gathered from version info
Source: 3CkMJ4UkNy.exe Binary or memory string: OriginalFilename vs 3CkMJ4UkNy.exe
Source: 3CkMJ4UkNy.exe, 00000000.00000003.1666473483.0000000005344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 3CkMJ4UkNy.exe
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3067795879.0000000005138000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 3CkMJ4UkNy.exe
Source: 3CkMJ4UkNy.exe, 00000000.00000000.1611886206.0000000000E12000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 3CkMJ4UkNy.exe
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061147133.0000000000E12000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 3CkMJ4UkNy.exe
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3057604092.00000000009BF000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 3CkMJ4UkNy.exe
Source: 3CkMJ4UkNy.exe Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 3CkMJ4UkNy.exe
Uses 32bit PE files
Source: 3CkMJ4UkNy.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@4/3
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:120:WilError_03
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3056062295.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 3CkMJ4UkNy.exe, 00000000.00000003.1621011532.0000000005140000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3061002325.0000000000CF1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1707020092.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1707516777.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3060928279.0000000000CF1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.3057498278.0000000000D81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.1819998298.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1903883755.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3057412762.0000000000D81000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3056062295.0000000000831000.00000040.00000001.01000000.00000003.sdmp, 3CkMJ4UkNy.exe, 00000000.00000003.1621011532.0000000005140000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3061002325.0000000000CF1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1707020092.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1707516777.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3060928279.0000000000CF1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.3057498278.0000000000D81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.1819998298.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1903883755.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3057412762.0000000000D81000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 3CkMJ4UkNy.exe Virustotal: Detection: 52%
Source: 3CkMJ4UkNy.exe ReversingLabs: Detection: 52%
Source: 3CkMJ4UkNy.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 3CkMJ4UkNy.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe File read: C:\Users\user\Desktop\3CkMJ4UkNy.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\3CkMJ4UkNy.exe "C:\Users\user\Desktop\3CkMJ4UkNy.exe"
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll Jump to behavior
Source: 3CkMJ4UkNy.exe Static file information: File size 2429952 > 1048576
Source: 3CkMJ4UkNy.exe Static PE information: Raw size of bqulvhjh is bigger than: 0x100000 < 0x1a2400

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Unpacked PE file: 0.2.3CkMJ4UkNy.exe.830000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bqulvhjh:EW;kmscejhe:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bqulvhjh:EW;kmscejhe:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 5.2.MPGPH131.exe.cf0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bqulvhjh:EW;kmscejhe:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bqulvhjh:EW;kmscejhe:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.cf0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bqulvhjh:EW;kmscejhe:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bqulvhjh:EW;kmscejhe:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bqulvhjh:EW;kmscejhe:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bqulvhjh:EW;kmscejhe:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 9.2.RageMP131.exe.d80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bqulvhjh:EW;kmscejhe:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bqulvhjh:EW;kmscejhe:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x252a89 should be: 0x257598
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x252a89 should be: 0x257598
Source: 3CkMJ4UkNy.exe Static PE information: real checksum: 0x252a89 should be: 0x257598
PE file contains sections with non-standard names
Source: 3CkMJ4UkNy.exe Static PE information: section name:
Source: 3CkMJ4UkNy.exe Static PE information: section name: .idata
Source: 3CkMJ4UkNy.exe Static PE information: section name:
Source: 3CkMJ4UkNy.exe Static PE information: section name: bqulvhjh
Source: 3CkMJ4UkNy.exe Static PE information: section name: kmscejhe
Source: 3CkMJ4UkNy.exe Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: bqulvhjh
Source: RageMP131.exe.0.dr Static PE information: section name: kmscejhe
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: bqulvhjh
Source: MPGPH131.exe.0.dr Static PE information: section name: kmscejhe
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_00863F49 push ecx; ret 0_2_00863F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D23F49 push ecx; ret 5_2_00D23F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D23F49 push ecx; ret 6_2_00D23F5C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00DB3F49 push ecx; ret 8_2_00DB3F5C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00DB3F49 push ecx; ret 9_2_00DB3F5C
Source: 3CkMJ4UkNy.exe Static PE information: section name: entropy: 7.9242713107823075
Source: 3CkMJ4UkNy.exe Static PE information: section name: bqulvhjh entropy: 7.91075925777718
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.9242713107823075
Source: RageMP131.exe.0.dr Static PE information: section name: bqulvhjh entropy: 7.91075925777718
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.9242713107823075
Source: MPGPH131.exe.0.dr Static PE information: section name: bqulvhjh entropy: 7.91075925777718
Drops PE files
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 9C7ACC second address: 9C7AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B43D79 second address: B43D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B43D7E second address: B43DAA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7564741CDFh 0x0000000f pushad 0x00000010 jmp 00007F7564741CDAh 0x00000015 jne 00007F7564741CD6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B43DAA second address: B43DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B43F39 second address: B43F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7564741CDDh 0x00000009 popad 0x0000000a pushad 0x0000000b jne 00007F7564741CD6h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F7564741CE5h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B446C4 second address: B446CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B446CA second address: B446E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7564741CDDh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47846 second address: B4789B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F756537D30Ah 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d jns 00007F756537D310h 0x00000013 jmp 00007F756537D30Ah 0x00000018 pop esi 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d pushad 0x0000001e pushad 0x0000001f jng 00007F756537D306h 0x00000025 jmp 00007F756537D313h 0x0000002a popad 0x0000002b jmp 00007F756537D30Ah 0x00000030 popad 0x00000031 mov eax, dword ptr [eax] 0x00000033 push esi 0x00000034 push eax 0x00000035 push edx 0x00000036 push edx 0x00000037 pop edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B4789B second address: B4789F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47936 second address: B479E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 03D0E709h 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F756537D308h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 jnp 00007F756537D30Bh 0x0000002c mov edx, 4DFF71CCh 0x00000031 call 00007F756537D313h 0x00000036 mov dh, E8h 0x00000038 pop esi 0x00000039 push 00000003h 0x0000003b or cl, 00000062h 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push ecx 0x00000043 call 00007F756537D308h 0x00000048 pop ecx 0x00000049 mov dword ptr [esp+04h], ecx 0x0000004d add dword ptr [esp+04h], 0000001Ah 0x00000055 inc ecx 0x00000056 push ecx 0x00000057 ret 0x00000058 pop ecx 0x00000059 ret 0x0000005a jl 00007F756537D31Bh 0x00000060 call 00007F756537D311h 0x00000065 movsx esi, di 0x00000068 pop ecx 0x00000069 push 00000003h 0x0000006b movzx ecx, cx 0x0000006e push 43B972FBh 0x00000073 push eax 0x00000074 push edx 0x00000075 pushad 0x00000076 ja 00007F756537D306h 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B479E0 second address: B479E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B479E5 second address: B47A3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756537D312h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 7C468D05h 0x00000010 add dword ptr [ebp+122D3818h], edi 0x00000016 lea ebx, dword ptr [ebp+124537A1h] 0x0000001c or ecx, dword ptr [ebp+122D2A63h] 0x00000022 xchg eax, ebx 0x00000023 push esi 0x00000024 jng 00007F756537D31Eh 0x0000002a jmp 00007F756537D318h 0x0000002f pop esi 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47A3C second address: B47A42 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47A42 second address: B47A48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47A48 second address: B47A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47B04 second address: B47B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47B09 second address: B47B54 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F7564741CDFh 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007F7564741CE9h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c pushad 0x0000001d push ebx 0x0000001e jnl 00007F7564741CD6h 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 js 00007F7564741CD6h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47B54 second address: B47BFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F756537D30Fh 0x0000000e mov edi, dword ptr [ebp+122D2C5Bh] 0x00000014 popad 0x00000015 mov ecx, dword ptr [ebp+122D37EEh] 0x0000001b push 00000003h 0x0000001d pushad 0x0000001e mov si, EFB4h 0x00000022 mov di, A024h 0x00000026 popad 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007F756537D308h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 mov edi, eax 0x00000045 mov cx, dx 0x00000048 push 00000003h 0x0000004a mov dword ptr [ebp+122D2875h], edi 0x00000050 mov ecx, ebx 0x00000052 push 95186BEDh 0x00000057 push ecx 0x00000058 jns 00007F756537D30Ch 0x0000005e pop ecx 0x0000005f xor dword ptr [esp], 55186BEDh 0x00000066 mov dword ptr [ebp+122D2D58h], edi 0x0000006c adc cx, 0820h 0x00000071 lea ebx, dword ptr [ebp+124537AAh] 0x00000077 jg 00007F756537D30Ch 0x0000007d xchg eax, ebx 0x0000007e jc 00007F756537D314h 0x00000084 push eax 0x00000085 push edx 0x00000086 jc 00007F756537D306h 0x0000008c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47C7C second address: B47C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47C80 second address: B47C8A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F756537D306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47C8A second address: B47C95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F7564741CD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47C95 second address: B47CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D37C2h], ebx 0x00000010 push 00000000h 0x00000012 stc 0x00000013 call 00007F756537D309h 0x00000018 push edx 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47CB5 second address: B47D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F7564741CE7h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jo 00007F7564741CD6h 0x00000016 popad 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007F7564741CE7h 0x00000021 mov eax, dword ptr [eax] 0x00000023 pushad 0x00000024 jp 00007F7564741CDCh 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47D05 second address: B47DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F756537D318h 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jp 00007F756537D31Ch 0x00000014 jmp 00007F756537D316h 0x00000019 pop eax 0x0000001a call 00007F756537D30Ah 0x0000001f pushad 0x00000020 sub dword ptr [ebp+122D21F4h], ecx 0x00000026 movzx edx, si 0x00000029 popad 0x0000002a pop esi 0x0000002b push 00000003h 0x0000002d mov cx, 7FA4h 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007F756537D308h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 0000001Ah 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d or edx, 650FE8B2h 0x00000053 pushad 0x00000054 or edi, dword ptr [ebp+122D2A03h] 0x0000005a popad 0x0000005b push 00000003h 0x0000005d cld 0x0000005e call 00007F756537D309h 0x00000063 jmp 00007F756537D30Ch 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jng 00007F756537D30Ch 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47DB4 second address: B47DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47DB8 second address: B47DE5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F756537D313h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push esi 0x0000000f push edi 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop edi 0x00000013 pop esi 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 jo 00007F756537D308h 0x0000001e push esi 0x0000001f pop esi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47DE5 second address: B47DEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F7564741CD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47DEF second address: B47E2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jg 00007F756537D312h 0x00000012 pop eax 0x00000013 mov dword ptr [ebp+122D2DD2h], edi 0x00000019 lea ebx, dword ptr [ebp+124537B5h] 0x0000001f sub dword ptr [ebp+122D2D58h], edx 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 jo 00007F756537D30Ch 0x0000002e js 00007F756537D306h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B47E2F second address: B47E5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7564741CDCh 0x00000008 jmp 00007F7564741CE1h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B67B35 second address: B67B39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B665B4 second address: B665BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B665BB second address: B665C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B665C0 second address: B665E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7564741CE0h 0x00000009 pushad 0x0000000a popad 0x0000000b jbe 00007F7564741CD6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B66734 second address: B66752 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F756537D319h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B668C4 second address: B668C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B3FBC4 second address: B3FBDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F756537D306h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jng 00007F756537D306h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B66CD7 second address: B66D1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7564741CE6h 0x00000008 jmp 00007F7564741CE8h 0x0000000d jmp 00007F7564741CE0h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B66D1D second address: B66D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B66D23 second address: B66D27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B66D27 second address: B66D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B66D2D second address: B66D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B66D39 second address: B66D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B67305 second address: B6730A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B6730A second address: B67310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B679BE second address: B679C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B679C2 second address: B679C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B69C22 second address: B69C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7564741CDAh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B6AE1D second address: B6AE22 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B6AE22 second address: B6AE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7564741CDEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B6AE3E second address: B6AE42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B6AE42 second address: B6AE4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B6AE4B second address: B6AE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b je 00007F756537D30Ch 0x00000011 jnl 00007F756537D306h 0x00000017 jmp 00007F756537D314h 0x0000001c popad 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 jng 00007F756537D310h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B2D14C second address: B2D159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F7564741CE2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B2D159 second address: B2D15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B2D15F second address: B2D16D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F7564741CF5h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B766BC second address: B766C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B766C2 second address: B766C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B766C6 second address: B766CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B766CA second address: B766D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B29D35 second address: B29D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B29D39 second address: B29D45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B29D45 second address: B29D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F756537D314h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B29D5D second address: B29D6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jno 00007F7564741CD6h 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B29D6B second address: B29D70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B75D35 second address: B75D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B76283 second address: B7628C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7628C second address: B76290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B76290 second address: B76294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B76294 second address: B7629E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B785D0 second address: B785D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B785D4 second address: B785D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B78741 second address: B78748 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B789D5 second address: B789D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B789D9 second address: B789DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B79158 second address: B7919D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007F7564741CD6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F7564741CD8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 jne 00007F7564741CDCh 0x0000002d nop 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 jg 00007F7564741CD6h 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7919D second address: B791A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F756537D306h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B791A7 second address: B791AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7934C second address: B79350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7973C second address: B79756 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7564741CE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7A637 second address: B7A692 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756537D318h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c cld 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F756537D308h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D2D58h], ebx 0x0000002f push 00000000h 0x00000031 sub dword ptr [ebp+122D37B2h], eax 0x00000037 mov dword ptr [ebp+122D1810h], edi 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push ecx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7A692 second address: B7A697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7BE14 second address: B7BE18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7BE18 second address: B7BE21 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7CA7E second address: B7CA91 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F756537D30Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7D5B9 second address: B7D5BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7EA34 second address: B7EA39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7FE90 second address: B7FE96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B802E6 second address: B802EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B802EB second address: B802F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B81339 second address: B813AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F756537D319h 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F756537D308h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov ebx, 7B786A00h 0x0000002b push 00000000h 0x0000002d xor dword ptr [ebp+122D1D17h], edi 0x00000033 xor bx, 2AFFh 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push esi 0x0000003d call 00007F756537D308h 0x00000042 pop esi 0x00000043 mov dword ptr [esp+04h], esi 0x00000047 add dword ptr [esp+04h], 00000016h 0x0000004f inc esi 0x00000050 push esi 0x00000051 ret 0x00000052 pop esi 0x00000053 ret 0x00000054 xchg eax, esi 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B813AF second address: B813B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B813B3 second address: B813CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F756537D30Bh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B84400 second address: B8447E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7564741CE4h 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d jmp 00007F7564741CE6h 0x00000012 pop esi 0x00000013 nop 0x00000014 mov ebx, esi 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F7564741CD8h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 mov edi, 1B0B2980h 0x00000037 push 00000000h 0x00000039 cld 0x0000003a cld 0x0000003b xchg eax, esi 0x0000003c push ebx 0x0000003d push eax 0x0000003e jmp 00007F7564741CE3h 0x00000043 pop eax 0x00000044 pop ebx 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 pushad 0x0000004a popad 0x0000004b pushad 0x0000004c popad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B8447E second address: B84495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F756537D313h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B8649A second address: B864D2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F7564741CE3h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jp 00007F7564741CFFh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7564741CE6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B88507 second address: B88529 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756537D317h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B88529 second address: B8852D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B8852D second address: B88537 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F756537D306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B88537 second address: B88541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F7564741CD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B893ED second address: B893F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B893F1 second address: B89439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 add ebx, 569B30B7h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F7564741CD8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D2410h], edi 0x00000031 push 00000000h 0x00000033 js 00007F7564741CDCh 0x00000039 mov ebx, dword ptr [ebp+122D22DDh] 0x0000003f xchg eax, esi 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 push ecx 0x00000044 pop ecx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7F1BF second address: B7F1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7F1C3 second address: B7F1CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7F1CD second address: B7F1D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7F1D1 second address: B7F1D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B954BD second address: B954C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B3C545 second address: B3C549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B99B14 second address: B99B3E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F756537D308h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F756537D348h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F756537D314h 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B99B3E second address: B99B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B99B42 second address: B99B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F756537D310h 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B995F7 second address: B995FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B995FB second address: B99629 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F756537D306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F756537D30Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F756537D316h 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA377F second address: BA3784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA3784 second address: BA37A2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F756537D30Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F756537D30Ah 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA37A2 second address: BA37C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7564741CDBh 0x0000000f js 00007F7564741CDAh 0x00000015 pushad 0x00000016 popad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA37C1 second address: BA37D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F756537D30Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA2513 second address: BA2526 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7564741CDEh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA2526 second address: BA2539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jns 00007F756537D306h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA2FF5 second address: BA2FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA2FF9 second address: BA2FFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA2FFF second address: BA300B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA3189 second address: BA318F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA318F second address: BA31A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 jns 00007F7564741CD6h 0x0000000c jmp 00007F7564741CDBh 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA34BC second address: BA34C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA34C2 second address: BA34C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BA5C1F second address: BA5C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F756537D315h 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f je 00007F756537D306h 0x00000015 jnl 00007F756537D306h 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F756537D30Dh 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B804BD second address: B804CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BAC7EE second address: BAC7F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BAC7F3 second address: BAC7F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BAC7F8 second address: BAC80C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F756537D30Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BAB691 second address: BAB6C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jp 00007F7564741CF5h 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F7564741CD6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BAB6C3 second address: BAB6C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BAB6C7 second address: BAB6E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7564741CE6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B856AA second address: B856B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B86611 second address: B86670 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7564741CD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jno 00007F7564741CDCh 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F7564741CD8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b clc 0x0000003c mov eax, dword ptr [ebp+122D0011h] 0x00000042 mov edi, 3D0CE1DDh 0x00000047 push FFFFFFFFh 0x00000049 cmc 0x0000004a nop 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B874C4 second address: B874D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B86670 second address: B86674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B874D0 second address: B874E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F756537D30Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B874E2 second address: B874E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BABC70 second address: BABC9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756537D316h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F756537D313h 0x0000000f jmp 00007F756537D30Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BAB226 second address: BAB22C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BAB22C second address: BAB230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BAB230 second address: BAB234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BAB234 second address: BAB240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F756537D306h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BAB240 second address: BAB245 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B8B386 second address: B8B38C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B8B452 second address: B8B47E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7564741CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jg 00007F7564741CD6h 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F7564741CE6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B8B47E second address: B8B483 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B8865B second address: B88660 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BAC24E second address: BAC261 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F756537D306h 0x00000008 jl 00007F756537D306h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB2401 second address: BB2407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB11B1 second address: BB11B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB11B5 second address: BB11BD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7706B second address: B77076 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F756537D306h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B77479 second address: B7747D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7747D second address: B77481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B77481 second address: B77497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jg 00007F7564741CE4h 0x0000000d pushad 0x0000000e je 00007F7564741CD6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7759C second address: B775A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B775A0 second address: B775A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7763C second address: B77642 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B77822 second address: B77843 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7564741CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jnc 00007F7564741CD6h 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jnl 00007F7564741CD6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B77843 second address: B7784D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F756537D306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7784D second address: B77852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B77A7B second address: B77A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B77DFB second address: B77E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B77E01 second address: B77E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F75653B01BCh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B77E14 second address: B77E54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 add edx, 669F4CA0h 0x0000000e push 0000001Eh 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F756452AB58h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a movzx edi, si 0x0000002d nop 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F756452AB5Ah 0x00000035 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B78140 second address: B78149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B781A4 second address: B781A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B781A8 second address: B781AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B781AE second address: B781B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B781B4 second address: B7821F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d jmp 00007F75653B01BAh 0x00000012 pop edi 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F75653B01B8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e lea eax, dword ptr [ebp+12482C9Eh] 0x00000034 mov cx, 4E4Ah 0x00000038 nop 0x00000039 jmp 00007F75653B01C4h 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7821F second address: B78223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B78223 second address: B78227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B78227 second address: B7822D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B7822D second address: B5C092 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F75653B01BCh 0x00000008 jnp 00007F75653B01B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F75653B01B8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b add edi, dword ptr [ebp+122D2C73h] 0x00000031 lea eax, dword ptr [ebp+12482C5Ah] 0x00000037 mov edx, dword ptr [ebp+122D2CCBh] 0x0000003d push eax 0x0000003e pushad 0x0000003f jne 00007F75653B01BCh 0x00000045 jmp 00007F75653B01C5h 0x0000004a popad 0x0000004b mov dword ptr [esp], eax 0x0000004e push 00000000h 0x00000050 push edx 0x00000051 call 00007F75653B01B8h 0x00000056 pop edx 0x00000057 mov dword ptr [esp+04h], edx 0x0000005b add dword ptr [esp+04h], 0000001Dh 0x00000063 inc edx 0x00000064 push edx 0x00000065 ret 0x00000066 pop edx 0x00000067 ret 0x00000068 mov dword ptr [ebp+122D21CFh], edx 0x0000006e jmp 00007F75653B01C1h 0x00000073 call dword ptr [ebp+122D1D27h] 0x00000079 push esi 0x0000007a jp 00007F75653B01C2h 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB14A2 second address: BB14A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB14A6 second address: BB14BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F75653B01C3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB14BF second address: BB14C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB14C7 second address: BB14CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB14CB second address: BB14CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB1640 second address: BB1649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB1649 second address: BB164F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB17A6 second address: BB17C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F75653B01C9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB17C5 second address: BB17CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB1AF0 second address: BB1AFB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB1AFB second address: BB1B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB1DA7 second address: BB1DBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BBh 0x00000007 jo 00007F75653B01BCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB1F6A second address: BB1F70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB1F70 second address: BB1F90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB1F90 second address: BB1F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB9FA8 second address: BB9FB0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BB9FB0 second address: BB9FC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F756452AB5Bh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BBA684 second address: BBA699 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F75653B01B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F75653B01B8h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BBA94E second address: BBA96E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F756452AB58h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F756452AB64h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BBED33 second address: BBED37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BBED37 second address: BBED4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F756452AB5Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BC1CFB second address: BC1D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F75653B01C5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BC15E6 second address: BC15F8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F756452AB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F756452AB58h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BC15F8 second address: BC1606 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F75653B01B8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BC1726 second address: BC172C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B3E0A9 second address: B3E0BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F75653B01BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: B3E0BC second address: B3E11B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB63h 0x00000007 jmp 00007F756452AB68h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F756452AB5Eh 0x00000013 ja 00007F756452AB6Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007F756452AB56h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BC3C55 second address: BC3C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 jmp 00007F75653B01BEh 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F75653B01B6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BC3DDB second address: BC3DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BC766D second address: BC7679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BC794B second address: BC7967 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F756452AB5Ch 0x0000000c jnc 00007F756452AB56h 0x00000012 pop ebx 0x00000013 jl 00007F756452AB66h 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BCAF11 second address: BCAF31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C6h 0x00000007 jl 00007F75653B01B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BCB0CF second address: BCB0D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BCB66F second address: BCB673 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD0D7A second address: BD0DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F756452AB56h 0x0000000c popad 0x0000000d jo 00007F756452AB62h 0x00000013 js 00007F756452AB56h 0x00000019 jne 00007F756452AB56h 0x0000001f pop edi 0x00000020 pushad 0x00000021 jne 00007F756452AB5Eh 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD02CA second address: BD02CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD02CE second address: BD02D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD02D8 second address: BD02E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD02E7 second address: BD0316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F756452AB5Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F756452AB66h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD0316 second address: BD031B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD077C second address: BD0799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 ja 00007F756452AB5Eh 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD0799 second address: BD079D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD079D second address: BD07A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD07A1 second address: BD07AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD08FA second address: BD0902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD0902 second address: BD0908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD0908 second address: BD0912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F756452AB56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD0912 second address: BD092E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD092E second address: BD0949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD86F6 second address: BD86FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD86FB second address: BD8717 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F756452AB65h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD6870 second address: BD6876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD7006 second address: BD703A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F756452AB68h 0x00000010 jmp 00007F756452AB61h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD7173 second address: BD7177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD7177 second address: BD717B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD7302 second address: BD730C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F75653B01B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD7458 second address: BD745C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD745C second address: BD746C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F75653B01B6h 0x00000008 jne 00007F75653B01B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD746C second address: BD749C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F756452AB7Bh 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F756452AB61h 0x0000001c push esi 0x0000001d pop esi 0x0000001e popad 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD771F second address: BD7727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD7727 second address: BD7739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F756452AB56h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BD8500 second address: BD8544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F75653B01C3h 0x00000009 popad 0x0000000a jmp 00007F75653B01BCh 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop ebx 0x00000016 jmp 00007F75653B01C9h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BE24F6 second address: BE2517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F756452AB62h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jne 00007F756452AB56h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BE2517 second address: BE251D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BE251D second address: BE2523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BE2523 second address: BE2527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BE20B8 second address: BE20BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BE20BC second address: BE20DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F75653B01D1h 0x0000000c jmp 00007F75653B01C5h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BE20DF second address: BE20E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BE3A32 second address: BE3A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F75653B01B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BE3A3E second address: BE3A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F756452AB5Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BF667C second address: BF6680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BF6680 second address: BF66AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F756452AB5Eh 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F756452AB56h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: BFF713 second address: BFF719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C00E5B second address: C00E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jg 00007F756452AB56h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C00E68 second address: C00E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F75653B01BEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C00E7C second address: C00EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F756452AB5Ch 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007F756452AB5Fh 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C05E30 second address: C05E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C07526 second address: C0752C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C0752C second address: C0753C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F75653B01B6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C0753C second address: C07550 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F756452AB7Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C097D7 second address: C097E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C097E0 second address: C097E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C0ECEE second address: C0ED00 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F75653B01B6h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C117C8 second address: C117CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C117CC second address: C117D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C1EEFF second address: C1EF0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jp 00007F756452AB56h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C1EF0D second address: C1EF12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C1EF12 second address: C1EF18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C1EF18 second address: C1EF1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C1EF1E second address: C1EF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C1EF22 second address: C1EF26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C1EF26 second address: C1EF46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F756452AB62h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F756452AB5Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C27B39 second address: C27B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C3666F second address: C36674 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C36674 second address: C3667C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C3667C second address: C366AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 je 00007F756452AB56h 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007F756452AB56h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push edi 0x00000018 jmp 00007F756452AB68h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C36132 second address: C3614F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F75653B01B6h 0x00000008 jmp 00007F75653B01BFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C3614F second address: C36160 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB5Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C36160 second address: C36165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C36165 second address: C3616B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C3616B second address: C36191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 jmp 00007F75653B01C4h 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C36191 second address: C3619E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F756452AB56h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C3619E second address: C361A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C361A4 second address: C361B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F756452AB60h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C3632E second address: C36332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C36332 second address: C36354 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB64h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jng 00007F756452AB56h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C36354 second address: C36359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C36359 second address: C36365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F756452AB56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C36365 second address: C36386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F75653B01C8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C36386 second address: C363AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F756452AB66h 0x00000009 jmp 00007F756452AB5Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C61DDE second address: C61E02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C2h 0x00000007 jmp 00007F75653B01BEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C60D17 second address: C60D55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F756452AB61h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F756452AB67h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 push edx 0x00000017 pop edx 0x00000018 je 00007F756452AB56h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C60E8B second address: C60E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C60E90 second address: C60E96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C60E96 second address: C60E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C60E9A second address: C60E9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C6125D second address: C61263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C61263 second address: C6128D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F756452AB65h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F756452AB56h 0x00000014 jnc 00007F756452AB56h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C6128D second address: C612C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F75653B01B8h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F75653B01C1h 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C612C4 second address: C612CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C612CA second address: C612D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C612D3 second address: C612D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C615A6 second address: C615C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F75653B01B6h 0x0000000c popad 0x0000000d jc 00007F75653B01BEh 0x00000013 jnp 00007F75653B01B6h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C6199A second address: C6199E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C634C2 second address: C634C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C634C6 second address: C634CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C65F9B second address: C65F9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C65F9F second address: C65FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007F756452AB5Eh 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 js 00007F756452AB64h 0x00000017 pushad 0x00000018 jns 00007F756452AB56h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C6605D second address: C660C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jns 00007F75653B01BCh 0x0000000b popad 0x0000000c nop 0x0000000d add edx, dword ptr [ebp+12465AC7h] 0x00000013 and edx, 7BB19208h 0x00000019 push 00000004h 0x0000001b mov dword ptr [ebp+1247AB3Eh], ebx 0x00000021 mov edx, dword ptr [ebp+122D3760h] 0x00000027 call 00007F75653B01B9h 0x0000002c jc 00007F75653B01D2h 0x00000032 pushad 0x00000033 jbe 00007F75653B01B6h 0x00000039 jmp 00007F75653B01C4h 0x0000003e popad 0x0000003f push eax 0x00000040 push ecx 0x00000041 push esi 0x00000042 push ebx 0x00000043 pop ebx 0x00000044 pop esi 0x00000045 pop ecx 0x00000046 mov eax, dword ptr [esp+04h] 0x0000004a pushad 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C660C4 second address: C660E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007F756452AB5Fh 0x0000000d pop edx 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 jbe 00007F756452AB60h 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C663D2 second address: C663D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C663D9 second address: C66400 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F756452AB5Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C66400 second address: C66413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F75653B01BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C67CAC second address: C67CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: C6975C second address: C6978F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F75653B01C7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F75653B01B6h 0x00000013 jmp 00007F75653B01BEh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52006DB second address: 52006E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52006E1 second address: 52006E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52006E5 second address: 520072B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F756452AB60h 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushfd 0x00000019 jmp 00007F756452AB5Ch 0x0000001e sbb ax, 4DF8h 0x00000023 jmp 00007F756452AB5Bh 0x00000028 popfd 0x00000029 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D011A second address: 51D0136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F75653B01C1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0136 second address: 51D0152 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0152 second address: 51D0156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0156 second address: 51D015A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D015A second address: 51D0160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0160 second address: 51D0175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F756452AB61h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0175 second address: 51D0185 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0185 second address: 51D0189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0189 second address: 51D018D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D018D second address: 51D0193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230EE3 second address: 5230EE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230EE9 second address: 5230F24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ebx, 70CC4F10h 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F756452AB5Fh 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c movsx edi, ax 0x0000001f mov cx, 6BB3h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0CD2 second address: 51C0CD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0CD6 second address: 51C0CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0CDC second address: 51C0D06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F75653B01C0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0D06 second address: 51C0D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0D0A second address: 51C0D26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0D26 second address: 51C0D34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0D34 second address: 51C0D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, 264Dh 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0D3D second address: 51C0D43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0D43 second address: 51C0D47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0D47 second address: 51C0D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0D57 second address: 51C0DC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F75653B01BDh 0x00000015 sub si, EA36h 0x0000001a jmp 00007F75653B01C1h 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007F75653B01C0h 0x00000026 jmp 00007F75653B01C5h 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0DC2 second address: 51C0DD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F756452AB5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0DD2 second address: 51C0DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0E85 second address: 51C0E89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0E89 second address: 51C0E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0E8F second address: 51C0EA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F756452AB5Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51C0EA0 second address: 51C0EA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230BF6 second address: 5230BFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230BFC second address: 5230C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230C00 second address: 5230C31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007F756452AB62h 0x00000012 xor esi, 711D60A8h 0x00000018 jmp 00007F756452AB5Bh 0x0000001d popfd 0x0000001e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230C31 second address: 5230C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230C35 second address: 5230C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov di, ax 0x00000009 popad 0x0000000a mov dword ptr [esp], ebp 0x0000000d jmp 00007F756452AB60h 0x00000012 mov ebp, esp 0x00000014 jmp 00007F756452AB60h 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov dx, EC50h 0x00000021 movsx edx, si 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230C70 second address: 5230C82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F75653B01BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5210B2B second address: 5210B3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5210B3A second address: 5210BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F75653B01BFh 0x00000009 sbb eax, 5556AF8Eh 0x0000000f jmp 00007F75653B01C9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F75653B01C0h 0x0000001b adc esi, 14859208h 0x00000021 jmp 00007F75653B01BBh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d mov bx, si 0x00000030 popad 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5210BA1 second address: 5210BA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5210BA7 second address: 5210BB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F75653B01BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250E5F second address: 5250E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250E63 second address: 5250E76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250E76 second address: 5250EDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F756452AB5Fh 0x00000009 adc ecx, 741F647Eh 0x0000000f jmp 00007F756452AB69h 0x00000014 popfd 0x00000015 movzx esi, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushfd 0x00000020 jmp 00007F756452AB66h 0x00000025 xor eax, 0172CEA8h 0x0000002b jmp 00007F756452AB5Bh 0x00000030 popfd 0x00000031 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250EDC second address: 5250F28 instructions: 0x00000000 rdtsc 0x00000002 mov si, 819Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007F75653B01C4h 0x0000000e sbb si, C108h 0x00000013 jmp 00007F75653B01BBh 0x00000018 popfd 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c push eax 0x0000001d mov esi, edx 0x0000001f pop edi 0x00000020 mov di, cx 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 mov dx, cx 0x0000002a movzx eax, di 0x0000002d popad 0x0000002e pop ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov edx, esi 0x00000034 mov ah, A1h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5240AAC second address: 5240ACC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 4ACDh 0x00000007 jmp 00007F756452AB5Ah 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov edi, 3A6A5400h 0x00000018 mov al, dl 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5240ACC second address: 5240AD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0864 second address: 51D0869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0869 second address: 51D0883 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0883 second address: 51D0887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0887 second address: 51D088D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D088D second address: 51D08BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F756452AB68h 0x00000009 adc eax, 6D1A9538h 0x0000000f jmp 00007F756452AB5Bh 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230CA4 second address: 5230CEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov di, ax 0x0000000e mov di, si 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007F75653B01BFh 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F75653B01C0h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230CEE second address: 5230CF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230CF4 second address: 5230D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F75653B01BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5240330 second address: 5240336 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5240336 second address: 524035E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F75653B01C4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 524035E second address: 52403E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bx, si 0x0000000e pushfd 0x0000000f jmp 00007F756452AB60h 0x00000014 or si, 6C58h 0x00000019 jmp 00007F756452AB5Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 jmp 00007F756452AB66h 0x00000027 mov eax, dword ptr [ebp+08h] 0x0000002a jmp 00007F756452AB60h 0x0000002f and dword ptr [eax], 00000000h 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 pushfd 0x00000036 jmp 00007F756452AB5Ch 0x0000003b jmp 00007F756452AB65h 0x00000040 popfd 0x00000041 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52109E3 second address: 52109F3 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 5E209FD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c mov esi, edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5240BC1 second address: 5240BC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51F0806 second address: 51F080C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51F080C second address: 51F0810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51F0810 second address: 51F0814 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51F0814 second address: 51F0895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007F756452AB5Ch 0x0000000f mov di, si 0x00000012 pop ecx 0x00000013 call 00007F756452AB67h 0x00000018 mov dx, si 0x0000001b pop ecx 0x0000001c popad 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f push edi 0x00000020 mov dx, ax 0x00000023 pop ecx 0x00000024 pushfd 0x00000025 jmp 00007F756452AB69h 0x0000002a and ecx, 698980E6h 0x00000030 jmp 00007F756452AB61h 0x00000035 popfd 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F756452AB5Dh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 525092C second address: 5250930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250930 second address: 5250936 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250936 second address: 525093C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 525093C second address: 5250940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250940 second address: 5250944 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250944 second address: 525095E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F756452AB5Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 525095E second address: 5250A39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 pushfd 0x00000007 jmp 00007F75653B01C0h 0x0000000c sub ah, FFFFFFC8h 0x0000000f jmp 00007F75653B01BBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007F75653B01C9h 0x0000001e xchg eax, ebp 0x0000001f pushad 0x00000020 jmp 00007F75653B01BCh 0x00000025 pushfd 0x00000026 jmp 00007F75653B01C2h 0x0000002b adc esi, 006DCB88h 0x00000031 jmp 00007F75653B01BBh 0x00000036 popfd 0x00000037 popad 0x00000038 mov ebp, esp 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007F75653B01C4h 0x00000041 add ah, FFFFFFE8h 0x00000044 jmp 00007F75653B01BBh 0x00000049 popfd 0x0000004a mov ch, 21h 0x0000004c popad 0x0000004d push ebp 0x0000004e jmp 00007F75653B01C0h 0x00000053 mov dword ptr [esp], ecx 0x00000056 pushad 0x00000057 pushfd 0x00000058 jmp 00007F75653B01BEh 0x0000005d sub ecx, 74064B78h 0x00000063 jmp 00007F75653B01BBh 0x00000068 popfd 0x00000069 push eax 0x0000006a push edx 0x0000006b mov dh, al 0x0000006d rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250A39 second address: 5250AB7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F756452AB5Bh 0x00000008 jmp 00007F756452AB63h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 mov eax, dword ptr [76FB65FCh] 0x00000016 pushad 0x00000017 movzx ecx, dx 0x0000001a jmp 00007F756452AB61h 0x0000001f popad 0x00000020 test eax, eax 0x00000022 jmp 00007F756452AB5Eh 0x00000027 je 00007F75D620DA33h 0x0000002d jmp 00007F756452AB60h 0x00000032 mov ecx, eax 0x00000034 pushad 0x00000035 jmp 00007F756452AB5Eh 0x0000003a pushad 0x0000003b mov ax, D247h 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52100BD second address: 52100D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F75653B01C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52100D5 second address: 5210127 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ecx 0x0000000b jmp 00007F756452AB67h 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F756452AB5Bh 0x0000001a adc cl, FFFFFFBEh 0x0000001d jmp 00007F756452AB69h 0x00000022 popfd 0x00000023 mov bh, ch 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5210127 second address: 521012D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 521012D second address: 5210131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5210131 second address: 521014C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F75653B01BBh 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov bx, si 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 521014C second address: 521018D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F756452AB62h 0x0000000f sub esi, 58B2C548h 0x00000015 jmp 00007F756452AB5Bh 0x0000001a popfd 0x0000001b popad 0x0000001c mov ebx, dword ptr [ebp+10h] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 521018D second address: 5210193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5210193 second address: 52101B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F756452AB69h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52101B0 second address: 52101F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F75653B01C8h 0x00000010 adc si, F538h 0x00000015 jmp 00007F75653B01BBh 0x0000001a popfd 0x0000001b mov ch, 2Fh 0x0000001d popad 0x0000001e mov dword ptr [esp], esi 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52101F0 second address: 5210259 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F756452AB5Ah 0x00000015 sub cx, EEC8h 0x0000001a jmp 00007F756452AB5Bh 0x0000001f popfd 0x00000020 mov bx, si 0x00000023 popad 0x00000024 xchg eax, edi 0x00000025 pushad 0x00000026 call 00007F756452AB60h 0x0000002b push esi 0x0000002c pop edx 0x0000002d pop eax 0x0000002e mov bx, C472h 0x00000032 popad 0x00000033 push eax 0x00000034 jmp 00007F756452AB68h 0x00000039 xchg eax, edi 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5210259 second address: 5210276 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5210276 second address: 52102D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F756452AB67h 0x00000009 xor ecx, 32B3D52Eh 0x0000000f jmp 00007F756452AB69h 0x00000014 popfd 0x00000015 mov si, 5BB7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c test esi, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F756452AB69h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52102D5 second address: 52102DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52102DB second address: 52102DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52102DF second address: 521034C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F75D70CE4E4h 0x0000000e pushad 0x0000000f pushad 0x00000010 mov eax, ebx 0x00000012 push edx 0x00000013 pop ecx 0x00000014 popad 0x00000015 push edx 0x00000016 jmp 00007F75653B01C6h 0x0000001b pop eax 0x0000001c popad 0x0000001d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000024 pushad 0x00000025 mov dx, 50B2h 0x00000029 push eax 0x0000002a push edx 0x0000002b pushfd 0x0000002c jmp 00007F75653B01C9h 0x00000031 xor si, 6186h 0x00000036 jmp 00007F75653B01C1h 0x0000003b popfd 0x0000003c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 521034C second address: 521035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F75D6248E30h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 521035C second address: 5210360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5210360 second address: 52103C6 instructions: 0x00000000 rdtsc 0x00000002 call 00007F756452AB64h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dh, 09h 0x0000000c popad 0x0000000d mov edx, dword ptr [esi+44h] 0x00000010 jmp 00007F756452AB5Ah 0x00000015 or edx, dword ptr [ebp+0Ch] 0x00000018 jmp 00007F756452AB60h 0x0000001d test edx, 61000000h 0x00000023 jmp 00007F756452AB60h 0x00000028 jne 00007F75D6248E2Ch 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F756452AB5Ah 0x00000037 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52103C6 second address: 52103D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52103D5 second address: 52103DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 71h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230032 second address: 52300CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F75653B01C6h 0x0000000d push eax 0x0000000e pushad 0x0000000f mov dx, B7E4h 0x00000013 pushad 0x00000014 call 00007F75653B01C3h 0x00000019 pop ecx 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f jmp 00007F75653B01C5h 0x00000024 mov ebp, esp 0x00000026 jmp 00007F75653B01BEh 0x0000002b and esp, FFFFFFF8h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 push edx 0x00000032 pop eax 0x00000033 pushfd 0x00000034 jmp 00007F75653B01C9h 0x00000039 sub cx, 1196h 0x0000003e jmp 00007F75653B01C1h 0x00000043 popfd 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52300CF second address: 52300E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov di, D6A0h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F756452AB5Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52300E9 second address: 5230112 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov dx, cx 0x00000013 call 00007F75653B01C4h 0x00000018 pop ecx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230112 second address: 523012D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 523012D second address: 523014A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 523014A second address: 52301B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F756452AB67h 0x00000009 jmp 00007F756452AB63h 0x0000000e popfd 0x0000000f mov cx, 356Fh 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 jmp 00007F756452AB65h 0x0000001c xchg eax, esi 0x0000001d jmp 00007F756452AB5Eh 0x00000022 mov esi, dword ptr [ebp+08h] 0x00000025 pushad 0x00000026 mov esi, 6CD0F29Dh 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52301B0 second address: 52301F3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F75653B01BFh 0x00000008 or eax, 3AC84B0Eh 0x0000000e jmp 00007F75653B01C9h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 sub ebx, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F75653B01BAh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52301F3 second address: 5230245 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F756452AB66h 0x00000010 je 00007F75D6220CCAh 0x00000016 jmp 00007F756452AB60h 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F756452AB5Ah 0x0000002b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230245 second address: 5230249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230249 second address: 523024F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 523024F second address: 52302D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b pushad 0x0000000c mov edx, ecx 0x0000000e mov si, 9889h 0x00000012 popad 0x00000013 je 00007F75D70A62EEh 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F75653B01BEh 0x00000020 xor al, FFFFFFD8h 0x00000023 jmp 00007F75653B01BBh 0x00000028 popfd 0x00000029 popad 0x0000002a test byte ptr [76FB6968h], 00000002h 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov cx, di 0x00000037 pushfd 0x00000038 jmp 00007F75653B01C7h 0x0000003d xor si, CB4Eh 0x00000042 jmp 00007F75653B01C9h 0x00000047 popfd 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52302D6 second address: 52302DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52302DC second address: 52302F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F75D70A6288h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52302F0 second address: 52302F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52302F4 second address: 5230304 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230304 second address: 523033E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 push esi 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F756452AB61h 0x00000017 add ah, FFFFFF96h 0x0000001a jmp 00007F756452AB61h 0x0000001f popfd 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 523033E second address: 5230343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230343 second address: 523037E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 46033CA0h 0x00000008 call 00007F756452AB69h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F756452AB63h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 523037E second address: 5230407 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c jmp 00007F75653B01BEh 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 mov di, ax 0x00000016 mov dx, si 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F75653B01C0h 0x00000024 xor cx, 0E08h 0x00000029 jmp 00007F75653B01BBh 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007F75653B01C8h 0x00000035 add eax, 089F3068h 0x0000003b jmp 00007F75653B01BBh 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230407 second address: 523041C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F756452AB5Fh 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 523041C second address: 523042A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 523042A second address: 523042E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 523042E second address: 523043C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 523043C second address: 5230442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230442 second address: 5230446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230446 second address: 5230467 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F756452AB64h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230467 second address: 523046D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 523046D second address: 5230471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230471 second address: 523047F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+10h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5220027 second address: 522002D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 522002D second address: 522005A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dl, cl 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F75653B01C1h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 522005A second address: 522006F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 522006F second address: 5220075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5220075 second address: 5220079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5271962 second address: 5271966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5271966 second address: 527196C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 527196C second address: 52719B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007F75653B01BEh 0x00000010 mov dx, cx 0x00000013 pop esi 0x00000014 mov edi, 1179BFB2h 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F75653B01C2h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52719B5 second address: 52719B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52719B9 second address: 52719BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52719BF second address: 52719EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F756452AB60h 0x00000012 xor al, 00000028h 0x00000015 jmp 00007F756452AB5Bh 0x0000001a popfd 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52719EE second address: 5271A42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov cl, 25h 0x0000000e mov ax, bx 0x00000011 popad 0x00000012 push 0000007Fh 0x00000014 jmp 00007F75653B01C3h 0x00000019 push 00000001h 0x0000001b jmp 00007F75653B01C6h 0x00000020 push dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push edi 0x00000027 pop ecx 0x00000028 push edx 0x00000029 pop eax 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5271A7D second address: 5271A81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5271A81 second address: 5271962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edx, eax 0x00000008 popad 0x00000009 retn 0004h 0x0000000c lea eax, dword ptr [ebp-10h] 0x0000000f push eax 0x00000010 call ebx 0x00000012 mov edi, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D03EC second address: 51D0410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov edi, 45788144h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F756452AB64h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0410 second address: 51D0416 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0416 second address: 51D0427 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F756452AB5Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0427 second address: 51D042B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D042B second address: 51D0479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F756452AB5Dh 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F756452AB63h 0x00000019 and ch, 0000001Eh 0x0000001c jmp 00007F756452AB69h 0x00000021 popfd 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0479 second address: 51D047E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D047E second address: 51D048C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F756452AB5Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D048C second address: 51D04AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F75653B01BBh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D04AE second address: 51D04B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D04B3 second address: 51D04B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D04B9 second address: 51D04D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D04D7 second address: 51D04DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D04DB second address: 51D04E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D04E1 second address: 51D051C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F75653B01BCh 0x00000011 or ch, 00000038h 0x00000014 jmp 00007F75653B01BBh 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c mov edx, ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D051C second address: 51D0546 instructions: 0x00000000 rdtsc 0x00000002 call 00007F756452AB62h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b and dword ptr [ebp-04h], 00000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F756452AB5Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0546 second address: 51D05E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F75653B01BDh 0x00000009 and si, AC36h 0x0000000e jmp 00007F75653B01C1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 lea eax, dword ptr [ebp-04h] 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F75653B01BCh 0x00000021 and al, 00000058h 0x00000024 jmp 00007F75653B01BBh 0x00000029 popfd 0x0000002a pushad 0x0000002b jmp 00007F75653B01C6h 0x00000030 call 00007F75653B01C2h 0x00000035 pop esi 0x00000036 popad 0x00000037 popad 0x00000038 push edx 0x00000039 jmp 00007F75653B01BEh 0x0000003e mov dword ptr [esp], eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F75653B01C7h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D05E8 second address: 51D0624 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F756452AB68h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D0624 second address: 51D0633 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D069B second address: 51D06A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 51D06A1 second address: 51D0754 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F75D4FDBBBAh 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F75653B01BEh 0x00000015 add si, 9D88h 0x0000001a jmp 00007F75653B01BBh 0x0000001f popfd 0x00000020 mov dx, si 0x00000023 popad 0x00000024 mov eax, dword ptr [ebp-04h] 0x00000027 pushad 0x00000028 push esi 0x00000029 pushfd 0x0000002a jmp 00007F75653B01C7h 0x0000002f or eax, 0D471A7Eh 0x00000035 jmp 00007F75653B01C9h 0x0000003a popfd 0x0000003b pop ecx 0x0000003c pushad 0x0000003d mov cx, di 0x00000040 pushfd 0x00000041 jmp 00007F75653B01C3h 0x00000046 sub cx, CC8Eh 0x0000004b jmp 00007F75653B01C9h 0x00000050 popfd 0x00000051 popad 0x00000052 popad 0x00000053 leave 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 mov esi, 66922B69h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250F57 second address: 5250F5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250F5C second address: 5250F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F75653B01BCh 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov eax, ebx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230E86 second address: 5230E98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, B7h 0x00000005 mov dh, al 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230E98 second address: 5230E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5230E9C second address: 5230EA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5210D0C second address: 5210DEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F75653B01C0h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F75653B01C7h 0x00000018 sub al, FFFFFFBEh 0x0000001b jmp 00007F75653B01C9h 0x00000020 popfd 0x00000021 mov edx, eax 0x00000023 popad 0x00000024 call 00007F75653B01BCh 0x00000029 pushfd 0x0000002a jmp 00007F75653B01C2h 0x0000002f sub eax, 43F5F0E8h 0x00000035 jmp 00007F75653B01BBh 0x0000003a popfd 0x0000003b pop esi 0x0000003c popad 0x0000003d xchg eax, ebp 0x0000003e pushad 0x0000003f call 00007F75653B01C5h 0x00000044 call 00007F75653B01C0h 0x00000049 pop eax 0x0000004a pop edx 0x0000004b mov di, si 0x0000004e popad 0x0000004f mov ebp, esp 0x00000051 jmp 00007F75653B01BAh 0x00000056 pop ebp 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F75653B01C7h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 529010D second address: 5290113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5290113 second address: 5290117 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5290117 second address: 5290126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5290126 second address: 529012C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 529012C second address: 5290179 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F756452AB66h 0x00000008 movzx ecx, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F756452AB5Dh 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F756452AB68h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5290179 second address: 5290188 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5290188 second address: 5290221 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 4957EDA6h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f pushad 0x00000010 mov edx, 2253992Ch 0x00000015 pushfd 0x00000016 jmp 00007F756452AB65h 0x0000001b xor ch, 00000006h 0x0000001e jmp 00007F756452AB61h 0x00000023 popfd 0x00000024 popad 0x00000025 call 00007F756452AB60h 0x0000002a mov si, E0C1h 0x0000002e pop esi 0x0000002f popad 0x00000030 push dword ptr [ebp+08h] 0x00000033 pushad 0x00000034 push edi 0x00000035 jmp 00007F756452AB66h 0x0000003a pop ecx 0x0000003b pushad 0x0000003c mov edi, 3D6404B4h 0x00000041 jmp 00007F756452AB5Dh 0x00000046 popad 0x00000047 popad 0x00000048 push 070AE713h 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F756452AB5Ah 0x00000054 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 525038D second address: 525039E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 mov ch, bh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 525039E second address: 52503D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F756452AB65h 0x0000000a sub cx, B0F6h 0x0000000f jmp 00007F756452AB61h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52503D0 second address: 52503D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52503D6 second address: 5250419 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF0h 0x0000000b jmp 00007F756452AB5Fh 0x00000010 sub esp, 44h 0x00000013 pushad 0x00000014 push eax 0x00000015 mov ecx, edx 0x00000017 pop edx 0x00000018 mov edi, esi 0x0000001a popad 0x0000001b xchg eax, ebx 0x0000001c jmp 00007F756452AB66h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250419 second address: 525041F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 525041F second address: 525047D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c call 00007F756452AB5Bh 0x00000011 pop ecx 0x00000012 pop edi 0x00000013 mov eax, 4C530495h 0x00000018 popad 0x00000019 xchg eax, esi 0x0000001a jmp 00007F756452AB60h 0x0000001f push eax 0x00000020 jmp 00007F756452AB5Bh 0x00000025 xchg eax, esi 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F756452AB65h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 525047D second address: 52504D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F75653B01BEh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F75653B01C1h 0x00000017 or cx, FA96h 0x0000001c jmp 00007F75653B01C1h 0x00000021 popfd 0x00000022 mov edi, eax 0x00000024 popad 0x00000025 xchg eax, edi 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52504D6 second address: 52504DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52504DA second address: 52504E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52504E0 second address: 52504F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F756452AB5Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52504F1 second address: 525051A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F75653B01BDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 525051A second address: 52505A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F756452AB61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+24h], 00000000h 0x00000011 pushad 0x00000012 jmp 00007F756452AB5Ch 0x00000017 mov bx, cx 0x0000001a popad 0x0000001b lock bts dword ptr [edi], 00000000h 0x00000020 jmp 00007F756452AB5Ch 0x00000025 jc 00007F75D61ACA30h 0x0000002b pushad 0x0000002c pushad 0x0000002d mov bl, al 0x0000002f pushfd 0x00000030 jmp 00007F756452AB69h 0x00000035 xor esi, 40466176h 0x0000003b jmp 00007F756452AB61h 0x00000040 popfd 0x00000041 popad 0x00000042 popad 0x00000043 pop edi 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 mov esi, ebx 0x00000049 mov edx, 5C73D2D6h 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52505A3 second address: 52505E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ch, dl 0x0000000f pushfd 0x00000010 jmp 00007F75653B01C6h 0x00000015 adc cx, 2028h 0x0000001a jmp 00007F75653B01BBh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52505E2 second address: 52505E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52505E8 second address: 52505EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 52505EC second address: 5250601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F756452AB5Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250601 second address: 5250629 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F75653B01BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F75653B01C5h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 5250629 second address: 525062F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe RDTSC instruction interceptor: First address: 525062F second address: 5250633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Special instruction interceptor: First address: 9C7A65 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Special instruction interceptor: First address: 9C7AFE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Special instruction interceptor: First address: BE6701 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: E87A65 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: E87AFE instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 10A6701 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: F17A65 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: F17AFE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 1136701 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_0528095C rdtsc 0_2_0528095C
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Window / User API: threadDelayed 1097 Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Window / User API: threadDelayed 1123 Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Window / User API: threadDelayed 3732 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1279 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1282 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1322 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1333 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1291 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1287 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1296 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1296 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1268 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 622 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 2214 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 628 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 2115 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 2110 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1304 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1299 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1266 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1297 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 6704 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 6704 Thread sleep time: -104052s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 6780 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 6780 Thread sleep time: -104052s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 5576 Thread sleep count: 118 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 5576 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 3620 Thread sleep count: 1097 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 3620 Thread sleep time: -2195097s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 6956 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 6956 Thread sleep time: -98049s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 5576 Thread sleep count: 166 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 4584 Thread sleep count: 1123 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 4584 Thread sleep time: -2247123s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 5576 Thread sleep count: 64 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 4520 Thread sleep count: 3732 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe TID: 4520 Thread sleep time: -7467732s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7196 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7196 Thread sleep time: -66033s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7176 Thread sleep count: 1279 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7176 Thread sleep time: -2559279s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7172 Thread sleep count: 1282 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7172 Thread sleep time: -2565282s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6748 Thread sleep count: 180 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7192 Thread sleep count: 1322 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7192 Thread sleep time: -2645322s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7184 Thread sleep count: 1333 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7184 Thread sleep time: -2667333s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7292 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7292 Thread sleep time: -70035s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7264 Thread sleep count: 1291 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7264 Thread sleep time: -2583291s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6980 Thread sleep count: 112 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7288 Thread sleep count: 1287 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7288 Thread sleep time: -2575287s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7284 Thread sleep count: 1296 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7284 Thread sleep time: -2593296s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7276 Thread sleep count: 1296 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7276 Thread sleep time: -2593296s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6980 Thread sleep count: 178 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7272 Thread sleep count: 1268 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7272 Thread sleep time: -2537268s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6980 Thread sleep count: 71 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7532 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7532 Thread sleep time: -102051s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7524 Thread sleep count: 622 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7524 Thread sleep time: -1244622s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7456 Thread sleep count: 81 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7504 Thread sleep count: 2214 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7504 Thread sleep time: -4430214s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7512 Thread sleep count: 628 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7512 Thread sleep time: -1256628s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7456 Thread sleep count: 179 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7508 Thread sleep count: 2115 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7508 Thread sleep time: -4232115s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7456 Thread sleep count: 72 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7528 Thread sleep count: 2110 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7528 Thread sleep time: -4222110s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7824 Thread sleep count: 80 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7824 Thread sleep time: -160080s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7816 Thread sleep count: 1304 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7816 Thread sleep time: -2609304s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7784 Thread sleep count: 107 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7784 Thread sleep count: 172 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7800 Thread sleep count: 1299 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7800 Thread sleep time: -2599299s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7808 Thread sleep count: 1266 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7808 Thread sleep time: -2533266s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7784 Thread sleep count: 66 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7812 Thread sleep count: 1297 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7812 Thread sleep time: -2595297s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.3059321742.000000000109E000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: RageMP131.exe, 00000008.00000002.3061452900.0000000001640000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 00000008.00000002.3061452900.00000000016C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b})
Source: 3CkMJ4UkNy.exe, 00000000.00000003.1671052455.0000000001326000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000008.00000002.3061452900.00000000016A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: RageMP131.exe, 00000009.00000002.3061632100.000000000141F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: MPGPH131.exe, 00000005.00000002.3057445876.00000000007CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&8i_T)
Source: RageMP131.exe, 00000009.00000003.1949329310.0000000001427000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061489184.0000000001317000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061489184.0000000001356000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3057445876.0000000000826000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3057445876.0000000000857000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3056203290.000000000078B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3056203290.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2526206357.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3061452900.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3061452900.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.000000000140D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.000000000145C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RageMP131.exe, 00000009.00000002.3061632100.00000000013B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&8\
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3061489184.000000000134A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: RageMP131.exe, 00000009.00000003.1949329310.0000000001427000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000005.00000002.3057445876.0000000000857000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3061632100.0000000001441000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: MPGPH131.exe, 00000006.00000002.3056203290.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2526206357.00000000007CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWv]
Source: 3CkMJ4UkNy.exe, 00000000.00000002.3057736410.0000000000B4E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.3061454551.000000000100E000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.3061284934.000000000100E000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.3060402621.000000000109E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000002.3059321742.000000000109E000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 00000008.00000002.3061452900.00000000016B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}O
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_04D00794 Start: 04D007FC End: 04D007A8 6_2_04D00794
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_053E0F45 Start: 053E0F17 End: 053E0F13 9_2_053E0F45
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_0528095C rdtsc 0_2_0528095C
Source: 3CkMJ4UkNy.exe, 3CkMJ4UkNy.exe, 00000000.00000002.3057736410.0000000000B4E000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, RageMP131.exe, 00000009.00000002.3059321742.000000000109E000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: +2XProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Code function: 0_2_0086360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_0086360D
Source: C:\Users\user\Desktop\3CkMJ4UkNy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: 3CkMJ4UkNy.exe PID: 2536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3484, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7452, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7780, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: 3CkMJ4UkNy.exe PID: 2536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3484, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7452, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7780, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435275 Sample: 3CkMJ4UkNy.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 31 ipinfo.io 2->31 33 db-ip.com 2->33 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Antivirus detection for URL or domain 2->45 47 5 other signatures 2->47 8 3CkMJ4UkNy.exe 1 9 2->8         started        13 RageMP131.exe 2 2->13         started        15 MPGPH131.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 35 147.45.47.93, 49730, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 8->35 37 ipinfo.io 34.117.186.192, 443, 49734, 49736 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->37 39 db-ip.com 104.26.4.15, 443, 49739, 49741 CLOUDFLARENETUS United States 8->39 27 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->27 dropped 29 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->29 dropped 49 Detected unpacking (changes PE section rights) 8->49 51 Found stalling execution ending in API Sleep call 8->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 8->53 55 Tries to detect virtualization through RDTSC time measurements 8->55 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        57 Multi AV Scanner detection for dropped file 13->57 59 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->59 61 Machine Learning detection for dropped file 13->61 63 Tries to evade debugger and weak emulator (self modifying code) 15->63 65 Hides threads from debuggers 15->65 67 Potentially malicious time measurement code found 15->67 69 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->69 file6 signatures7 process8 process9 23 conhost.exe 19->23         started        25 conhost.exe 21->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.26.4.15
 db-ip.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.4.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/widget/demo/191.96.150.225 false
    		high
    https://db-ip.com/demo/home.php?s=191.96.150.225 false
      		high